The virtual hosts should have a private range TCP/IP network amongst them. They should be able to fetch software from the Internet, but they needn't be accessible from outside the Xen server. See Xen Networking for a clear introduction.
In /etc/networking/interfaces
, put a stanza:
# Xen auto xenbr0 iface xenbr0 inet static address 10.0.17.253 netmask 255.255.255.0 bridge_ports none
(This is a quick-and-dirty solution. Not suitable for a production server. But quite suitable for a one-week course plaything.)
In /etc/init.d/firewall
, put a script (slightly modified from a Debian-administration.org article:
#!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin WAN_IF=eth0 LAN_IF=xenbr0 # # delete all existing rules. # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X [ "${1}" = "stop" ] && exit 0 # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i !${WAN_IF} -j REJECT iptables -A FORWARD -i ${WAN_IF} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i ${LAN_IF} -o ${WAN_IF} -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o ${WAN_IF} -j MASQUERADE # Don't forward from the outside to the inside. iptables -A FORWARD -i ${WAN_IF} -o ${WAN_IF} -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward
Then make it executable, make it run at boot and call it immediately:
apprentice@xenserver:~$ sudo chmod a+rx /etc/init.d/firewall
apprentice@xenserver:~$ sudo update-rc.d firewall defaults
apprentice@xenserver:~$ sudo /etc/init.d/firewall start