| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
[Xen-users] Confused about bridged DomU's.
(If this message comes across twice, I apologize. I sent it from the
wrong source address originally)
Hello,
My first exposure to Linux bridged networking is with Xen. I'm still not
clear on some bits, well, most bits really. I have the following
configuration which I've managed to get working, I think. I'm not quite
sure what was causing some of the headaches I was experiencing earlier
though and I'm hoping that someone can tell me.
I have a system with the following network interfaces. It serves as a
firewall/router in addition to now running a couple XenU's.
eth0: 10.0.0.0/24 (Trusted)
eth1: 10.0.1.0/24 (WiFi, very limited trust)
eth2: public-ip, with some other public ip's aliased to the interface
and later hijacked with iptables PREROUTING.
(new) dummy0: originally 10.0.4.0/24
The iptables firewall is in Dom0.
Most hosts in 10.0.0.0/24 are simply SNATed and DNATed as they traverse
eth2, to an IP address dedicated to that purpose.
Some hosts are SNAT/DNAT mapped in their entirety (when traversing eth2)
Some ports to some public IPs get redirected to yet again other internal
hosts (when they come in eth2).
This has all worked fairly well for me over the past couple years. Then
came Xen <big grin>
I attempted to add dummy0 with 10.0.4.1/24. My intent was that all
DomU's would live in the 10.0.4.0/24 subnet. My original intent would
have been to make them live in the 10.0.0.0/24 subnet, but my
misconfiguration of bridging kept breaking my Internet access, making it
harder to track down documentation.
The problem began when I tried to SNAT Internet bound traffic
originating from the DomU machine at 10.0.4.2. Depending on my iptables
rules I was either SNATing before it went out eth2, or wasn't SNATing at
all, simply bypassing the rule (somehow... see note 1 below.) and
dumping RFC1918 originated packets out to my ISP.
Stripping the address from dummy0 and then assigning 10.0.4.1 to xenbr0
(the bridge) solved this problem, apparently in its entirety.
I fiddled with ebtables a bit as well, but I suppose my grasp over how
exactly packets traverse all the magic Xen interfaces leaves much to be
desired, particularly when Dom0 is routing/firewalling in addition to
bridging a dummy interface.
So the questions:
- Why was the following ignored?: (the inverse DNAT worked fine)
iptables -t nat -A POSTROUTING -s 10.0.4.2 -o eth2 -J SNAT --to-source
xxx.xxx.xxx.xxx
or: iptables -t nat -A POSTROUTING -s 10.0.4.2 -m physdev
--physdev-out eth2 -J SNAT --to-source xxx.xxx.xxx.xxx
- What do I lose setting the ip on xenbr0 insteady of dummy0?
Is there a diagram somewhere showing packet traversal from a DomU to a
Dom0, preferably one showing the hook-in points for eb/iptables? There
seems to be quite a few classes of interfaces on the Dom0.
Thanks very much,
Ed
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Xen-users] Confused about bridged DomU's.,
Ed Roper <=
|
|
|
| |
|
Home