4.5 Create A Virtual Local Network From The Virtual Machines (Optional)

(This chapter is optional. What is described here works only if you installed Xen from the sources.)

In this chapter I want to create a virtual network with my virtual machines, i.e. a network that is different from the network of dom0.

You can find a drawing of what I want to do here: http://wiki.xensource.com/xenwiki/XenNetworkingUsecase#head-7f23d0f2248cb0c70458f9339b4405e2b1bfc271

I did the same with Xen 2.0.7 here: http://www.howtoforge.com/perfect_xen_setup_debian_ubuntu_p6. However, the way to achieve this with Xen 3 has changed completely. Xen 3 configures all the firewall rules, gateways, etc. automatically. Furthermore, we don't need any dummy network interface anymore for our virtual network. It is important to know that Xen 3 assigns gateways from the 10.x.x.x net to our virtual machines, so it is a good idea to also assign IP addresses from the 10.x.x.x net to our virtual machines. If you give them IP addresses from the 192.168.3.x net (as we did with Xen 2.0.7 on http://www.howtoforge.com/perfect_xen_setup_debian_ubuntu_p6), then your virtual machines will have no access to the internet.

So we will give vm01 the IP address 10.0.0.1 and vm02 the IP address 10.0.0.2.

First we edit /etc/xen/xend-config.sxp and disable bridging and enable NAT (network address translation) instead:

vi /etc/xen/xend-config.sxp

[...]
	  
#(network-script network-bridge)
#(vif-script vif-bridge)

(network-script network-nat)
(vif-script vif-nat)

[...]

Then we change the configuration files of vm01 and vm02:

/etc/xen/vm01-config.sxp:

vi /etc/xen/vm01-config.sxp

name="vm01"
kernel="/boot/vmlinuz-2.6-xenU"
root="/dev/hda1"
memory=32
disk=['file:/vserver/images/vm01.img,hda1,w','file:/vserver/images/vm01-swap.img,hda2,w']

vif=[ 'ip=10.0.0.1' ]
dhcp="off"
hostname="vm01.example.com"
ip="10.0.0.1"
netmask="255.0.0.0"
gateway="10.0.0.254"

extra="3"

/etc/xen/vm02-config.sxp:

vi /etc/xen/vm02-config.sxp

name="vm02"
kernel="/boot/vmlinuz-2.6-xenU"
root="/dev/hda1"
memory=32
disk=['file:/vserver/images/vm02.img,hda1,w','file:/vserver/images/vm02-swap.img,hda2,w']

vif=[ 'ip=10.0.0.2' ]
dhcp="off"
ip="10.0.0.2"
netmask="255.0.0.0"
gateway="10.0.0.254"
hostname="vm02.example.com"

extra="3"

Afterwards shut down vm01 and vm02:

xm shutdown vm01
xm shutdown vm02

Wait a few seconds and control with xm list that vm01 and vm02 have shut down. Then reboot the system:

shutdown -r now

If vm01 and vm02 aren't started automatically at boot time, start them now:

xm create /etc/xen/vm01-config.sxp
xm create /etc/xen/vm02-config.sxp

Now you should be able to ping vm02 from vm01 and vice versa, and you also be able to ping dom0 and hosts on the internet!

Now let's assume we have a web server on port 80 in vm01 and a mail server on port 25 in vm02. As they are in their own network (10.x.x.x), we cannot access them from the outside unless we forward these ports to the appropriate vm. We can create the necessary port forwarding rules on dom0 with the help of iptables:

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 25 -j DNAT --to 10.0.0.2:25

If we connect to dom0 now on port 80, we are forwarded to vm01. The same goes for port 25 and vm02.

Of course, the forwarding rules are lost when we reboot dom0. Therefore we put the rules into /etc/network/if-up.d/iptables, which is executed automatically when the system boots:

vi /etc/network/if-up.d/iptables

#!/bin/sh

### Port Forwarding ###
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 25 -j DNAT --to 10.0.0.2:25

Now we have to make that script executable:

chmod 755 /etc/network/if-up.d/iptables

Whenever you need additional port forwarding rules, execute them on dom0's shell and then append them to /etc/network/if-up.d/iptables so that they are available even after a reboot.