Tuesday, January 9, 2007
7:38 AM

Setting up a Xen DMZ using NAT and IPTables Filtering

Make sure you are using a version of Dom0 with kernel support for IP Tables. See my previous post on compiling Xen from source.

IP Tables option can be found in the kernel menuconfig configuration under

Networking ---> Networking options ---> [*] Network packet filtering (replaces ipchains) ---> Core Netfilter Configuration ---> <*> Netfilter Xtables support (required for ip_tables)

Networking ---> Networking options ---> [*] Network packet filtering (replaces ipchains) ---> IP: Netfilter Configuration ---> <*> IP tables support (required for filtering/masq/NAT)

Setup the following options in /etc/xen/xend-config.sxp
(network-script network-nat)
(vif-script vif-nat)

Check (using ifconfig) that vif1.0 in Dom0 has an IP starting 10.0.0.*

Now edit your VM config file to set private local IP addresses
dhcp = "off"
vif = [ 'ip=10.0.0.1' ] <--the IP I want to assign to my VM
ip="10.0.0.1" <--add the above here again
gateway="10.0.0.128" <-- the internal IP address of my Dom0 vif1.0
netmask="255.255.255.0"

Similarly once you boot the VM you can update the above settings in /etc/network/interfaces file in DomU

auto eth0
iface eth0 inet static
address 10.0.0.1
netmask 255.255.255.0
gateway 10.0.0.128

At this point you should be able to ping Dom0 and nodes on the internet from DomU and DomU from Dom0. However DomU is not accessible from the internet because of its private IP address. To address this we can create a DMZ where Dom0 forwards packets to DomU using IP Table rules. For instance if we have an SSHd service running in DomU, then we can enable port forwarding in Dom0 using

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 22 -j DNAT --to 10.0.0.1:22

A remote user who wants to SSH to DomU will simply give the Public IP of Dom0 while connecting via SSH.

0 comments:

Post a Comment