diff options
| author | rac61@labyrinth.cl.cam.ac.uk <rac61@labyrinth.cl.cam.ac.uk> | 2003-07-15 10:31:58 +0000 |
|---|---|---|
| committer | rac61@labyrinth.cl.cam.ac.uk <rac61@labyrinth.cl.cam.ac.uk> | 2003-07-15 10:31:58 +0000 |
| commit | 788c9c4b9be9c63c0a89047453cad16c8e7995e9 (patch) | |
| tree | 142b900ed50303f99a201720253f7fd69dd09daa /tools | |
| parent | 0cd262a3d850d22262b4cdd68a12099c221b510c (diff) | |
| download | xen-788c9c4b9be9c63c0a89047453cad16c8e7995e9.tar.gz xen-788c9c4b9be9c63c0a89047453cad16c8e7995e9.tar.bz2 xen-788c9c4b9be9c63c0a89047453cad16c8e7995e9.zip | |
bitkeeper revision 1.352.1.1 (3f13d81eTRR1ajDAiyPHK9scX5CJAQ)
Add NAT utility script for use in domain 0 when you only have one real IP.
Diffstat (limited to 'tools')
| -rwxr-xr-x | tools/misc/enable_nat | 20 | ||||
| -rw-r--r-- | tools/misc/enable_nat.README | 24 |
2 files changed, 44 insertions, 0 deletions
diff --git a/tools/misc/enable_nat b/tools/misc/enable_nat new file mode 100755 index 0000000000..e6b21a779b --- /dev/null +++ b/tools/misc/enable_nat @@ -0,0 +1,20 @@ +#!/bin/sh + +run_iptables() { + if ! iptables $@ ; then + echo "iptables returned error; have you built netfilter?"; exit 1 + fi +} + +ifconfig eth0:0 169.254.1.0 up +run_iptables -t filter -F +run_iptables -t nat -F +run_iptables -t filter -X +run_iptables -t nat -X +run_iptables -t filter -P FORWARD DROP +run_iptables -t filter -A FORWARD -i eth0 -o eth0 -s 169.254.0.0/16 -j ACCEPT +run_iptables -t filter -A FORWARD -i eth0 -o eth0 -d 169.254.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT +run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.1.0 -j RETURN +run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.0.0/16 -j MASQUERADE +echo 1 > /proc/sys/net/ipv4/ip_forward + diff --git a/tools/misc/enable_nat.README b/tools/misc/enable_nat.README new file mode 100644 index 0000000000..0c6dd1cd70 --- /dev/null +++ b/tools/misc/enable_nat.README @@ -0,0 +1,24 @@ +To use NAT in domain 0 to give access for other domains: +1) Make sure domain 0's kernel contains at least the following options: + (other domains don't need this) + +CONFIG_NETFILTER=y +CONFIG_IP_NF_CONNTRACK=y +CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_STATE=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_NAT_NEEDED=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_NAT_FTP=y + +2) Run the enable_nat script on domain 0 startup. This will bind + 169.254.1.0 to domain 0 and set up iptables for NAT. Make sure + that the real IP address for eth0 has been set before running the + script. +3) Give the other domains IP addresses in 169.254.0.0/16 and a default + gateway of 169.254.1.0. +4) It should now work. Domains 1 and higher should be able to make + outgoing connections through NAT. FTP active or passive should both + work thanks to FTP connection tracking |