The Perfect Xen 3.1.0 Setup For Debian Etch (i386) - Page 7

5.5 Create A Virtual Local Network From The Virtual Machines (Optional)

(This chapter is optional.)

In this chapter I want to create a virtual network with my virtual machines, i.e. a network that is different from the network of dom0.

You can find a drawing of what I want to do here: http://wiki.xensource.com/xenwiki/XenNetworkingUsecase#head-7f23d0f2248cb0c70458f9339b4405e2b1bfc271

I did the same with Xen 2.0.7 here: https://www.howtoforge.com/perfect_xen_setup_debian_ubuntu_p6. However, the way to achieve this with Xen 3 has changed completely. Xen 3 configures all the firewall rules, gateways, etc. automatically. Furthermore, we don't need any dummy network interface anymore for our virtual network. It is important to know that Xen 3 assigns gateways from the 10.x.x.x net to our virtual machines, so it is a good idea to also assign IP addresses from the 10.x.x.x net to our virtual machines. If you give them IP addresses from the 192.168.3.x net (as we did with Xen 2.0.7 on https://www.howtoforge.com/perfect_xen_setup_debian_ubuntu_p6), then your virtual machines will have no access to the internet.

So we will give xen1.example.com the IP address 10.0.0.1 and xen2.example.com the IP address 10.0.0.2.

First we edit /etc/xen/xend-config.sxp and disable bridging and enable NAT (network address translation) instead:

vi /etc/xen/xend-config.sxp
[...]
#(network-script network-bridge)
#(vif-script vif-bridge)
(network-script network-nat)
(vif-script vif-nat)
[...]

Then we change the IP address in the configuration files of xen1.example.com and xen2.example.com:

vi /etc/xen/xen1.example.com.cfg
#
#  Configuration file for the Xen instance xen1.example.com, created on
# Tue May 29 01:21:54 2007.
#

#
#  Kernel + memory size
#
kernel  = '/boot/vmlinuz-2.6.18-xenU'
memory  = '32'

#
#  Disk device(s).
#
root    = '/dev/hda1 ro'
disk    = [ 'file:/vserver/domains/xen1.example.com/disk.img,hda1,w', 'file:/vserver/domains/xen1.example.com/swap.img,hda2,w' ]
#
#  Hostname
#
name    = 'xen1.example.com'

#
#  Networking
#
vif  = [ 'ip=10.0.0.1' ]
#
#  Behaviour
#
on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'
vi /etc/xen/xen2.example.com.cfg
#
#  Configuration file for the Xen instance xen2.example.com, created on
# Tue May 29 01:50:38 2007.
#

#
#  Kernel + memory size
#
kernel  = '/boot/vmlinuz-2.6.18-xenU'
memory  = '32'

#
#  Disk device(s).
#
root    = '/dev/hda1 ro'
disk    = [ 'file:/vserver/domains/xen2.example.com/disk.img,hda1,w', 'file:/vserver/domains/xen2.example.com/swap.img,hda2,w' ]
#
#  Hostname
#
name    = 'xen2.example.com'

#
#  Networking
#
vif  = [ 'ip=10.0.0.2' ]
#
#  Behaviour
#
on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'

Afterwards shut down xen1.example.com and xen2.example.com (if they are running):

xm shutdown xen1.example.com
xm shutdown xen2.example.com

Wait a few seconds and control with xm list that xen1.example.com and xen2.example.com have shut down. Then reboot the system:

shutdown -r now

If xen1.example.com and xen2.example.com aren't started automatically at boot time, start them now:

xm create /etc/xen/xen1.example.com.cfg
xm create /etc/xen/xen2.example.com.cfg
-----------------------------------------------------

After both virtual machines have booted, we must log in on xen1.example.com. There we open /etc/network/interfaces and change the IP address (10.0.0.1), the gateway (10.0.0.254), and the netmask (255.0.0.0):

xen1.example.com:

vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
 address 10.0.0.1
 gateway 10.0.0.254
 netmask 255.0.0.0
 # post-up  ethtool -K eth0 tx off
#
# The commented out line above will disable TCP checksumming which
# might resolve problems for some users.  It is disabled by default
#

Then we restart the network on xen1.example.com:

xen1.example.com:

/etc/init.d/networking restart

Now we do the same on xen2.example.com (this time we set the IP address to 10.0.0.2):

xen2.example.com:

vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
 address 10.0.0.2
 gateway 10.0.0.254
 netmask 255.0.0.0
 # post-up  ethtool -K eth0 tx off
#
# The commented out line above will disable TCP checksumming which
# might resolve problems for some users.  It is disabled by default
#

Then we restart the network on xen2.example.com:

xen2.example.com:

/etc/init.d/networking restart

-----------------------------------------------------

Now you should be able to ping xen2.example.com from xen1.example.com and vice versa, and you should also be able to ping dom0 and hosts on the internet!

Now let's assume we have a web server on port 80 on xen1.example.com and a mail server on port 25 on xen2.example.com. As they are in their own network (10.x.x.x), we cannot access them from the outside unless we forward these ports to the appropriate vm. We can create the necessary port forwarding rules on dom0 with the help of iptables:

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 25 -j DNAT --to 10.0.0.2:25

If we connect to dom0 now on port 80, we are forwarded to xen1.example.com. The same goes for port 25 and xen2.example.com.

Of course, the forwarding rules are lost when we reboot dom0. Therefore we put the rules into /etc/network/if-up.d/iptables, which is executed automatically when the system boots:

vi /etc/network/if-up.d/iptables
#!/bin/sh
### Port Forwarding ###
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 25 -j DNAT --to 10.0.0.2:25

Now we have to make that script executable:

chmod 755 /etc/network/if-up.d/iptables

Whenever you need additional port forwarding rules, execute them on dom0's shell and then append them to /etc/network/if-up.d/iptables so that they are available even after a reboot.

 

Share this page:

1 Comment(s)