The Perfect Xen Setup For Debian And Ubuntu - Page 6

5 Create A Virtual Local Network From The Virtual Machines (Optional)

(This chapter is optional, and what is described here can only be done if you installed Xen from the sources and compiled a dom0 kernel with iptables and the dummy network driver as modules (see chapter 3.2).)

Now let's say you got a dedicated server in some data center that has one network card and only one IP address. Now you want to set up a web server (vm01) and a mail server (vm02) as virtual machines. If you would do it the way described above, you would need three public IP addresses (one for dom0, one for vm01, one for vm02), but you only got one. The solution is to set up a virtual local network on your server which means the dom0 has the public IP address and acts as a router (doing NAT, network address translation), and behind that router we have a local network (in this example it is the network

This is how you do it (all these steps have to be made on dom0!):

First, we need a second network interface; it is for the local network. Since we have only one real network card (eth0) which has the public IP address, we use the dummy network driver to set up the network interface dummy0.

echo dummy >> /etc/modules

Append the following part to /etc/network/interfaces:

auto dummy0
iface dummy0 inet static

This will give dummy0 the IP address

Then we have to tell Xen that it should bind the Xen bridge xen-br0 to dummy0. Therefore you have to edit /etc/xen/scripts/network. Change the line




Of course, we have to change the network settings in /etc/xen/vm01-config.sxp and /etc/xen/vm02-config.sxp. vm01 will have the IP address, so its configuration file looks like this:

name ="vm01"
kernel ="/boot/vmlinuz-"
root ="/dev/hda1"
memory =128
disk = ['file:/vserver/images/vm01.img,hda1,w','file:/vserver/images/vm01-swap.img,hda2,w']

# network
dhcp ="off"


Now we have to tell dom0 that it should do NAT so that the virtual machines have internet access. We also have to tell dom0 which ports it should forward to which IP address. Therefore we create the file /etc/network/if-up.d/iptables:


echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s -j MASQUERADE

### Port Forwarding ###
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 25 -j DNAT --to
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 110 -j DNAT --to

The first two commands enable Nat'ing on dom0. In the section after ### Port Forwarding ### you put as many rules as you need. This tells dom0 to forward certain ports to certain destination ports on certain destination IP addresses. For example, the first rule tells dom0 to forward requests on port 80 (http) to port 80 on So if you have a web server running on vm01 (, then all requests on port 80 on dom0 will be forwarded to this web server. The last two rules forward ports 25 (smtp) and 110 (pop3) to our mail server vm02 (

Now we have to make that script executable:

chmod 755 /etc/network/if-up.d/iptables

Finally, we reboot the server:

shutdown -r now

After the reboot, you should have a virtual local network on your Xen system!

Whenever you need new port forwarding rules, put them at the end of /etc/network/if-up.d/iptables. And because you do not want to reboot your system whenever you need new port forwarding rules, you can run the same rule on the shell. For example, if you want to forward port 21 (ftp) to vm01, you put the rule

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to

at the end of /etc/network/if-up.d/iptables. Plus, you run this rule on the shell so that it becomes valid immediately:

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 21 -j DNAT --to





Share this page:

5 Comment(s)