aboutsummaryrefslogtreecommitdiffstats
path: root/tools
diff options
context:
space:
mode:
authorrac61@labyrinth.cl.cam.ac.uk <rac61@labyrinth.cl.cam.ac.uk>2003-07-15 10:31:58 +0000
committerrac61@labyrinth.cl.cam.ac.uk <rac61@labyrinth.cl.cam.ac.uk>2003-07-15 10:31:58 +0000
commit788c9c4b9be9c63c0a89047453cad16c8e7995e9 (patch)
tree142b900ed50303f99a201720253f7fd69dd09daa /tools
parent0cd262a3d850d22262b4cdd68a12099c221b510c (diff)
downloadxen-788c9c4b9be9c63c0a89047453cad16c8e7995e9.tar.gz
xen-788c9c4b9be9c63c0a89047453cad16c8e7995e9.tar.bz2
xen-788c9c4b9be9c63c0a89047453cad16c8e7995e9.zip
bitkeeper revision 1.352.1.1 (3f13d81eTRR1ajDAiyPHK9scX5CJAQ)
Add NAT utility script for use in domain 0 when you only have one real IP.
Diffstat (limited to 'tools')
-rwxr-xr-xtools/misc/enable_nat20
-rw-r--r--tools/misc/enable_nat.README24
2 files changed, 44 insertions, 0 deletions
diff --git a/tools/misc/enable_nat b/tools/misc/enable_nat
new file mode 100755
index 0000000000..e6b21a779b
--- /dev/null
+++ b/tools/misc/enable_nat
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+run_iptables() {
+ if ! iptables $@ ; then
+ echo "iptables returned error; have you built netfilter?"; exit 1
+ fi
+}
+
+ifconfig eth0:0 169.254.1.0 up
+run_iptables -t filter -F
+run_iptables -t nat -F
+run_iptables -t filter -X
+run_iptables -t nat -X
+run_iptables -t filter -P FORWARD DROP
+run_iptables -t filter -A FORWARD -i eth0 -o eth0 -s 169.254.0.0/16 -j ACCEPT
+run_iptables -t filter -A FORWARD -i eth0 -o eth0 -d 169.254.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT
+run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.1.0 -j RETURN
+run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.0.0/16 -j MASQUERADE
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
diff --git a/tools/misc/enable_nat.README b/tools/misc/enable_nat.README
new file mode 100644
index 0000000000..0c6dd1cd70
--- /dev/null
+++ b/tools/misc/enable_nat.README
@@ -0,0 +1,24 @@
+To use NAT in domain 0 to give access for other domains:
+1) Make sure domain 0's kernel contains at least the following options:
+ (other domains don't need this)
+
+CONFIG_NETFILTER=y
+CONFIG_IP_NF_CONNTRACK=y
+CONFIG_IP_NF_FTP=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_STATE=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_NAT_FTP=y
+
+2) Run the enable_nat script on domain 0 startup. This will bind
+ 169.254.1.0 to domain 0 and set up iptables for NAT. Make sure
+ that the real IP address for eth0 has been set before running the
+ script.
+3) Give the other domains IP addresses in 169.254.0.0/16 and a default
+ gateway of 169.254.1.0.
+4) It should now work. Domains 1 and higher should be able to make
+ outgoing connections through NAT. FTP active or passive should both
+ work thanks to FTP connection tracking