The Perfect Xen 3.0.1 Setup For Debian - Page 6
5 Create A Virtual Local Network From The Virtual Machines (Optional)
(This chapter is optional. What is described here works regardless of if you installed Xen 3 from the sources or the Xen binary.)
In this chapter I want to create a virtual network with my virtual machines, i.e. a network that is different from the network of dom0.
You can find a drawing of what I want to do here: http://wiki.xensource.com/xenwiki/XenNetworkingUsecase#head-7f23d0f2248cb0c70458f9339b4405e2b1bfc271
I did the same with Xen 2.0.7 here: http://www.howtoforge.com/perfect_xen_setup_debian_ubuntu_p6. However, the way to achieve this with Xen 3 has changed completely. Xen 3 configures all the firewall rules, gateways, etc. automatically. Furthermore, we don't need any dummy network interface anymore for our virtual network. It is important to know that Xen 3 assigns gateways from the 10.x.x.x net to our virtual machines, so it is a good idea to also assign IP addresses from the 10.x.x.x net to our virtual machines. If you give them IP addresses from the 192.168.3.x net (as we did with Xen 2.0.7 on http://www.howtoforge.com/perfect_xen_setup_debian_ubuntu_p6), then your virtual machines will have no access to the internet.
So we will give vm01 the IP address 10.0.0.1 and vm02 the IP address 10.0.0.2.
First we edit /etc/xen/xend-config.sxp and disable bridging and enable NAT (network address translation) instead:
Then we change the configuration files of vm01 and vm02:
Afterwards shut down vm01 and vm02:
xm shutdown vm01
xm shutdown vm02
Wait a few seconds and control with xm list that vm01 and vm02 have shut down. Then reboot the system:
shutdown -r now
If vm01 and vm02 aren't started automatically at boot time, start them now:
xm create /etc/xen/vm01-config.sxp
xm create /etc/xen/vm02-config.sxp
Now you should be able to ping vm02 from vm01 and vice versa, and you also be able to ping dom0 and hosts on the internet!
Now let's assume we have a web server on port 80 in vm01 and a mail server on port 25 in vm02. As they are in their own network (10.x.x.x), we cannot access them from the outside unless we forward these ports to the appropriate vm. We can create the necessary port forwarding rules on dom0 with the help of iptables:
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 25 -j DNAT --to 10.0.0.2:25
If we connect to dom0 now on port 80, we are forwarded to vm01. The same goes for port 25 and vm02.
Of course, the forwarding rules are lost when we reboot dom0. Therefore we put the rules into /etc/network/if-up.d/iptables, which is executed automatically when the system boots:
Now we have to make that script executable:
chmod 755 /etc/network/if-up.d/iptables
Whenever you need additional port forwarding rules, execute them on dom0's shell and then append them to /etc/network/if-up.d/iptables so that they are available even after a reboot.