Hello everyone!
I am new to Xen and this is my first post in this list. I have a machine
with two network interfaces, eth0 and eth1. Eth0 is connected to the LAN
(192.168.1.0/24) and eth1 to my router (ip:80.36.214.x, gw:
80.36.214.y). This server is also acting as a proxy-cache:
# Transparent proxy
iptables --table nat --append PREROUTING --in-interface eth0 \
--source 192.168.1.0/24 --destination ! 192.168.1.0/24 \
--proto tcp --dport 80 --jump REDIRECT --to-port 3128
# Activate Network Address Translation
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \
--destination ! 192.168.0.0/24 --out-interface eth1 \
--jump MASQUERADE
As you may have already noticed, I also have a VPN between the two
subnets 192.168.0.0/24 and 192.168.1.0/24, and there are a few more
rules in the firewall in order to allow traffic apropriately.
So, I found out about Xen and said "this is great!", so here I am. I
have a running kernel 2.6.16.19 with Xen 3.0.2 on a Debian x86_64 Sid
(custom kernel with no modules at all, compiled using kernel-package). I
want to use Xen virtual machines only internally (as any other normal PC
inside the 192.168.1.0/24 network, but with no need to be accessed from
the Internet). So, I have created a virtual machine using the xen-tools
package provided by Steve[1].
[1] http://packages.debian.org/unstable/utils/xen-tools
These are the parameters of /etc/xen-tools/xen-tools.conf:
dir = /home/xen
debootstrap = 1
size = 2Gb
memory = 128Mb
swap = 256Mb
fs = ext3
dist = etch
image = sparse
gateway = 192.168.1.3
netmask = 255.255.255.0
passwd = 1
kernel = /boot/xen0-linux-2.6.16.19-xen
initrd =
mirror = http://ftp.se.debian.org/debian/
I created the image with this command:
xen-create-image --hostname=xen01 --ip=192.168.1.10 --passwd
The /etc/network/interfaces in the virtual machine (dom1):
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.10
gateway 192.168.1.3
netmask 255.255.255.0
The thing is that everything went fine:
- I can connect to the virtual machine from the host (192.168.1.3)
- I can connect to the Internet from inside the virtual machine.
But:
- I can't ping the virtual machine 192.168.1.10 from any other PC in the
192.168.1.0/24 network (but the host 192.168.1.3). It says "Destination
Host Unreachable".
- I can't ping any host in the 192.168.1.0/24 network from inside the
virtual machine 192.168.1.10. It does not complain, though.
I have set up /etc/xen/xend-config.sxp using:
(network-script network-route)
(vif-script vif-route)
Honestly, I don't have any other reason to choose routing instead of
bridging except the fact that I tried for days and days with the
bridging thing and I could make it work, so I said "next try another
option".
When I was using bridging, I could ping from inside a VM to a PC, but
not from a PC to the VM. Again, I could really tell what was wrong (I am
not an expert with iptables, I admit it).
My firewall looks like this (short version):
BOF ----------------------------
iptables --policy INPUT DROP
iptables --append INPUT --in-interface ! eth1 --jump ACCEPT
iptables --append INPUT --match state --state ESTABLISHED,RELATED \
--jump ACCEPT
iptables --append INPUT --proto ICMP --jump ACCEPT
# SSH
iptables --append INPUT --proto tcp --match state --dport ssh \
--state NEW --source a.b.c.d --jump ACCEPT
# VPN
iptables --append INPUT --in-interface eth1 --proto udp \
--sport isakmp --dport isakmp --source 213.96.x.y \
--destination ${VPN_SRC} --jump ACCEPT
iptables --append INPUT --in-interface eth1 --proto tcp \
--sport isakmp --dport isakmp --source 213.96.x.y \
--destination 80.36.x.y --jump ACCEPT
iptables --append INPUT --in-interface eth1 --proto ah \
--source 213.96.x.y --destination 80.36.x.y --jump ACCEPT
iptables --append INPUT --in-interface eth1 --proto esp \
--source 213.96.x.y --destination 80.36.x.y --jump ACCEPT
# Transparent proxy
iptables --table nat --append PREROUTING --in-interface eth0 \
--source 192.168.1.0/24 --destination ! 192.168.1.0/24 \
--proto tcp --dport 80 --jump REDIRECT --to-port 3128
# Activate Network Address Translation
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \
--destination ! 192.168.0.0/24 --out-interface eth1 \
--jump MASQUERADE
EOF ----------------------------
80.36.x.y is the gateway in the machine (my end)
213.96.x.y is the gateway of the other end of the VPN
So, as far as I know, after reading as many docs as Google could provide
me with, I guess the problem is that traffic is not "routed" from the
eth0 to the vif. My ifconfig (summarized version) looks like this:
eth0 Link encap:Ethernet HWaddr ------
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr ------
inet addr:80.36.x.y Bcast:80.36.214.191 Mask:255.255.255.224
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
vif3.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.255
Also, as a final note, when I was attempting to make it work by using
bridging, my server stopped forwarding connections from the LAN to the
Internet, so that was one more reason to try the "routed" setup. At
least now I can let people work while I try to finish up this setup and
don't have to go to the office on Saturday :)
Any hints? If you need any more information, please let me know. Thanks
in advance.
--
Jaume Sabater
http://linuxsilo.net/
"Ubi sapientas ibi libertas"
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|