bitkeeper revision 1.352.1.1 (3f13d81eTRR1ajDAiyPHK9scX5CJAQ)

Add NAT utility script for use in domain 0 when you only have one real IP.

diff --git a/.rootkeys b/.rootkeys
index 5b8cff59e5b610886e1b7a6c6976aa9b23043cf8..6f2251a2127856089f13bdc90128bb3c86e4b0e0 100644 (file)
--- a/.rootkeys
+++ b/.rootkeys
@@ -138,6 +138,8 @@
 3eb781fd0Eo9K1jEFCSAVzO51i_ngg tools/internal/xi_stop.c
 3f108ae2to5nHRRXfvUK7oxgjcW_yA tools/internal/xi_usage.c
 3eb781fd7211MZsLxJSiuy7W4KnJXg tools/internal/xi_vifinit
+3f13d81eQ9Vz-h-6RDGFkNR9CRP95g tools/misc/enable_nat
+3f13d81e6Z6806ihYYUw8GVKNkYnuw tools/misc/enable_nat.README
 3ddb79bcbOVHh38VJzc97-JEGD4dJQ xen/Makefile
 3ddb79bcCa2VbsMp7mWKlhgwLQUQGA xen/README
 3ddb79bcWnTwYsQRWl_PaneJfa6p0w xen/Rules.mk

diff --git a/tools/misc/enable_nat b/tools/misc/enable_nat
new file mode 100755 (executable)
index 0000000..e6b21a7
--- /dev/null
+++ b/tools/misc/enable_nat
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+run_iptables() {
+    if ! iptables $@ ; then
+       echo "iptables returned error; have you built netfilter?"; exit 1
+    fi
+}
+
+ifconfig eth0:0 169.254.1.0 up
+run_iptables -t filter -F
+run_iptables -t nat -F
+run_iptables -t filter -X
+run_iptables -t nat -X
+run_iptables -t filter -P FORWARD DROP
+run_iptables -t filter -A FORWARD -i eth0 -o eth0 -s 169.254.0.0/16 -j ACCEPT
+run_iptables -t filter -A FORWARD -i eth0 -o eth0 -d 169.254.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT
+run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.1.0 -j RETURN
+run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.0.0/16 -j MASQUERADE
+echo 1 > /proc/sys/net/ipv4/ip_forward
+

diff --git a/tools/misc/enable_nat.README b/tools/misc/enable_nat.README
new file mode 100644 (file)
index 0000000..0c6dd1c
--- /dev/null
+++ b/tools/misc/enable_nat.README
@@ -0,0 +1,24 @@
+To use NAT in domain 0 to give access for other domains:
+1) Make sure domain 0's kernel contains at least the following options:
+   (other domains don't need this)
+
+CONFIG_NETFILTER=y
+CONFIG_IP_NF_CONNTRACK=y
+CONFIG_IP_NF_FTP=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_STATE=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_NAT_FTP=y
+
+2) Run the enable_nat script on domain 0 startup. This will bind
+   169.254.1.0 to domain 0 and set up iptables for NAT. Make sure
+   that the real IP address for eth0 has been set before running the
+   script.
+3) Give the other domains IP addresses in 169.254.0.0/16 and a default
+   gateway of 169.254.1.0.
+4) It should now work. Domains 1 and higher should be able to make
+   outgoing connections through NAT. FTP active or passive should both
+   work thanks to FTP connection tracking