# HG changeset patch
# User rac61@labyrinth.cl.cam.ac.uk
# Date 1058265118 0
# Node ID 8463f8865ddc86d0723ed240eb49a5a21cc3f768
# Parent  d2aad5afa33c189bbee20afa31b5a1f4b470afa6
bitkeeper revision 1.352.1.1 (3f13d81eTRR1ajDAiyPHK9scX5CJAQ)

Add NAT utility script for use in domain 0 when you only have one real IP.


diff -r d2aad5afa33c -r 8463f8865ddc .rootkeys
--- a/.rootkeys	Tue Jul 15 00:49:09 2003 +0000
+++ b/.rootkeys	Tue Jul 15 10:31:58 2003 +0000
@@ -138,6 +138,8 @@ 3eb781fd8oRfPgH7qTh7xvgmwD6NgA tools/int
 3eb781fd0Eo9K1jEFCSAVzO51i_ngg tools/internal/xi_stop.c
 3f108ae2to5nHRRXfvUK7oxgjcW_yA tools/internal/xi_usage.c
 3eb781fd7211MZsLxJSiuy7W4KnJXg tools/internal/xi_vifinit
+3f13d81eQ9Vz-h-6RDGFkNR9CRP95g tools/misc/enable_nat
+3f13d81e6Z6806ihYYUw8GVKNkYnuw tools/misc/enable_nat.README
 3ddb79bcbOVHh38VJzc97-JEGD4dJQ xen/Makefile
 3ddb79bcCa2VbsMp7mWKlhgwLQUQGA xen/README
 3ddb79bcWnTwYsQRWl_PaneJfa6p0w xen/Rules.mk
diff -r d2aad5afa33c -r 8463f8865ddc tools/misc/enable_nat
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/misc/enable_nat	Tue Jul 15 10:31:58 2003 +0000
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+run_iptables() {
+    if ! iptables $@ ; then
+	echo "iptables returned error; have you built netfilter?"; exit 1
+    fi
+}
+
+ifconfig eth0:0 169.254.1.0 up
+run_iptables -t filter -F
+run_iptables -t nat -F
+run_iptables -t filter -X
+run_iptables -t nat -X
+run_iptables -t filter -P FORWARD DROP
+run_iptables -t filter -A FORWARD -i eth0 -o eth0 -s 169.254.0.0/16 -j ACCEPT
+run_iptables -t filter -A FORWARD -i eth0 -o eth0 -d 169.254.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT
+run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.1.0 -j RETURN
+run_iptables -t nat -A POSTROUTING -o eth0 -s 169.254.0.0/16 -j MASQUERADE
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
diff -r d2aad5afa33c -r 8463f8865ddc tools/misc/enable_nat.README
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/misc/enable_nat.README	Tue Jul 15 10:31:58 2003 +0000
@@ -0,0 +1,24 @@
+To use NAT in domain 0 to give access for other domains:
+1) Make sure domain 0's kernel contains at least the following options:
+   (other domains don't need this)
+
+CONFIG_NETFILTER=y
+CONFIG_IP_NF_CONNTRACK=y
+CONFIG_IP_NF_FTP=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_STATE=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_NAT_FTP=y
+
+2) Run the enable_nat script on domain 0 startup. This will bind
+   169.254.1.0 to domain 0 and set up iptables for NAT. Make sure
+   that the real IP address for eth0 has been set before running the
+   script.
+3) Give the other domains IP addresses in 169.254.0.0/16 and a default
+   gateway of 169.254.1.0.
+4) It should now work. Domains 1 and higher should be able to make
+   outgoing connections through NAT. FTP active or passive should both
+   work thanks to FTP connection tracking