A virtual Network

The virtual hosts should have a private range TCP/IP network amongst them. They should be able to fetch software from the Internet, but they needn't be accessible from outside the Xen server. See Xen Networking for a clear introduction.

  1. In /etc/networking/interfaces, put a stanza:

    # Xen
    auto xenbr0
    iface xenbr0 inet static
            bridge_ports none

  2. (This is a quick-and-dirty solution. Not suitable for a production server. But quite suitable for a one-week course plaything.)

    In /etc/init.d/firewall, put a script (slightly modified from a Debian-administration.org article:

    # delete all existing rules.
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    [ "${1}" = "stop" ] && exit 0
    # Always accept loopback traffic
    iptables -A INPUT -i lo -j ACCEPT
    # Allow established connections, and those not coming from the outside
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state NEW -i !${WAN_IF} -j REJECT
    iptables -A FORWARD -i ${WAN_IF} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow outgoing connections from the LAN side.
    iptables -A FORWARD -i ${LAN_IF} -o ${WAN_IF} -j ACCEPT
    # Masquerade.
    iptables -t nat -A POSTROUTING -o ${WAN_IF} -j MASQUERADE
    # Don't forward from the outside to the inside.
    iptables -A FORWARD -i ${WAN_IF} -o ${WAN_IF} -j REJECT
    # Enable routing.
    echo 1 > /proc/sys/net/ipv4/ip_forward

    Then make it executable, make it run at boot and call it immediately:

    apprentice@xenserver:~$ sudo chmod a+rx /etc/init.d/firewall
    apprentice@xenserver:~$ sudo update-rc.d firewall defaults
    apprentice@xenserver:~$ sudo /etc/init.d/firewall start