WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] xen breaks iptables

To: Markus Schiltknecht <markus@xxxxxxxxxx>
Subject: Re: [Xen-users] xen breaks iptables
From: John Lenz <jlenz2@xxxxxxxxxxxxx>
Date: Thu, 16 Nov 2006 12:49:24 -0600
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 16 Nov 2006 10:49:54 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <455C6628.9080001@xxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <455C3E03.6070703@xxxxxxxxxx> <455C6628.9080001@xxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.7 (X11/20060922)
On 11/16/06 07:22, Markus Schiltknecht wrote:
> Hi,
> 
> in the Shorewall Xen FAQ at [1] I'm reading the following:
> 
> "I know of no case where a user has successfully used NAT (including
> Masquerade) in a bridged Xen Dom0. So if you want to create a
> masquerading firewall/gateway using Xen, you need to do so in a DomU
> (see how I did it) or you must configure Xen to use routing  or NAT
> rather than the default bridging."
> 
> Why shuffling around the Dom0 interfaces (eth0 -> peth0) at all? Can I
> configure Xen to not do that and just provide me a tap device I can
> route / bridge however I want, like qemu does?


http://lists.xensource.com/archives/html/xen-users/2006-09/msg00925.html

(the HTML code wrapped the following line, which should be a single line:
mac=${mac:-$(awk 'BEGIN { printf "00:16:3e:%02x:%02x:%02x",
int(rand()*127),
int(rand()*255), int(rand()*255); }')}

Once you have the network-private set up, you can route and do whatever
in dom0 you like.  veth0 is the adapter to the private network between
dom0 and domUs, and eth0 (or whatever) is the external.

This script really gets out of your way, so all the configuration of
forwarding and such can be done outside xen.

John


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>