ia64/xen-unstable

changeset 635:8463f8865ddc

bitkeeper revision 1.352.1.1 (3f13d81eTRR1ajDAiyPHK9scX5CJAQ)

Add NAT utility script for use in domain 0 when you only have one real IP.
author rac61@labyrinth.cl.cam.ac.uk
date Tue Jul 15 10:31:58 2003 +0000 (2003-07-15)
parents d2aad5afa33c
children 062359854730
files .rootkeys tools/misc/enable_nat tools/misc/enable_nat.README
line diff
     1.1 --- a/.rootkeys	Tue Jul 15 00:49:09 2003 +0000
     1.2 +++ b/.rootkeys	Tue Jul 15 10:31:58 2003 +0000
     1.3 @@ -138,6 +138,8 @@ 3eb781fd8oRfPgH7qTh7xvgmwD6NgA tools/int
     1.4  3eb781fd0Eo9K1jEFCSAVzO51i_ngg tools/internal/xi_stop.c
     1.5  3f108ae2to5nHRRXfvUK7oxgjcW_yA tools/internal/xi_usage.c
     1.6  3eb781fd7211MZsLxJSiuy7W4KnJXg tools/internal/xi_vifinit
     1.7 +3f13d81eQ9Vz-h-6RDGFkNR9CRP95g tools/misc/enable_nat
     1.8 +3f13d81e6Z6806ihYYUw8GVKNkYnuw tools/misc/enable_nat.README
     1.9  3ddb79bcbOVHh38VJzc97-JEGD4dJQ xen/Makefile
    1.10  3ddb79bcCa2VbsMp7mWKlhgwLQUQGA xen/README
    1.11  3ddb79bcWnTwYsQRWl_PaneJfa6p0w xen/Rules.mk
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/tools/misc/enable_nat	Tue Jul 15 10:31:58 2003 +0000
     2.3 @@ -0,0 +1,20 @@
     2.4 +#!/bin/sh
     2.5 +
     2.6 +run_iptables() {
     2.7 +    if ! iptables $@ ; then
     2.8 +	echo "iptables returned error; have you built netfilter?"; exit 1
     2.9 +    fi
    2.10 +}
    2.11 +
    2.12 +ifconfig eth0:0 169.254.1.0 up
    2.13 +run_iptables -t filter -F
    2.14 +run_iptables -t nat -F
    2.15 +run_iptables -t filter -X
    2.16 +run_iptables -t nat -X
    2.17 +run_iptables -t filter -P FORWARD DROP
    2.18 +run_iptables -t filter -A FORWARD -i eth0 -o eth0 -s 169.254.0.0/16 -j ACCEPT
    2.19 +run_iptables -t filter -A FORWARD -i eth0 -o eth0 -d 169.254.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT
    2.20 +run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.1.0 -j RETURN
    2.21 +run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.0.0/16 -j MASQUERADE
    2.22 +echo 1 > /proc/sys/net/ipv4/ip_forward
    2.23 +
     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/tools/misc/enable_nat.README	Tue Jul 15 10:31:58 2003 +0000
     3.3 @@ -0,0 +1,24 @@
     3.4 +To use NAT in domain 0 to give access for other domains:
     3.5 +1) Make sure domain 0's kernel contains at least the following options:
     3.6 +   (other domains don't need this)
     3.7 +
     3.8 +CONFIG_NETFILTER=y
     3.9 +CONFIG_IP_NF_CONNTRACK=y
    3.10 +CONFIG_IP_NF_FTP=y
    3.11 +CONFIG_IP_NF_IPTABLES=y
    3.12 +CONFIG_IP_NF_MATCH_STATE=y
    3.13 +CONFIG_IP_NF_FILTER=y
    3.14 +CONFIG_IP_NF_NAT=y
    3.15 +CONFIG_IP_NF_NAT_NEEDED=y
    3.16 +CONFIG_IP_NF_TARGET_MASQUERADE=y
    3.17 +CONFIG_IP_NF_NAT_FTP=y
    3.18 +
    3.19 +2) Run the enable_nat script on domain 0 startup. This will bind
    3.20 +   169.254.1.0 to domain 0 and set up iptables for NAT. Make sure
    3.21 +   that the real IP address for eth0 has been set before running the
    3.22 +   script.
    3.23 +3) Give the other domains IP addresses in 169.254.0.0/16 and a default
    3.24 +   gateway of 169.254.1.0.
    3.25 +4) It should now work. Domains 1 and higher should be able to make
    3.26 +   outgoing connections through NAT. FTP active or passive should both
    3.27 +   work thanks to FTP connection tracking