01mar. 2010

Xen et utilisation du NAT

Xen_logo.png
Un ami ayant eu un besoin urgent de pouvoir gérer des DomU Xen via le NAT et comme la configuration de Xen en NAT ne me plait guère, je me suis alors permis de développer un petit script très simple afin de gérer des règles de routage.

#!/bin/sh
IPTABLES=/sbin/iptables
MORE=/bin/more
GREP=/bin/grep
ECHO=/usr/bin/echo
IP_PUBLIC=XXX.XXX.XXX.XXX
IP_PRIVATE=XXX.XXX.XXX.XXX/XX
 
if ! ${GREP}|> '1' /proc/sys/net/ipv4/ip_forward >/dev/null 2>&1; then
 ${ECHO}|> "1" > /proc/sys/net/ipv4/ip_forward
fi
 
# Routage des requetes sortante DomU
if ! ${IPTABLES}|> -L POSTROUTING -t nat | ${GREP}|> ${IP_PUBLIC}|>  >/dev/null 2>&1; then
	${IPTABLES}|> -A POSTROUTING -t nat -s ${IP_PRIVATE}|> -j SNAT --to ${IP_PUBLIC}|>
fi
 
echo "Rules policy in progress :"
echo "________________________________________________________________________________________________"
${IPTABLES}|> -t nat -L PREROUTING --line-numbers | ${MORE}|> +2
echo "________________________________________________________________________________________________"
echo
echo "Actions :"
echo "+---+-----------------+"
echo "| 1 |    Add Rules    |"
echo "+---+-----------------+"
echo "| 2 |   Delete Rules  |"
echo "+---+-----------------+"
echo "| 3 |    List Rules   |"
echo "+---+-----------------+"
echo -n "  >> "
        read TASK
case ${TASK}|> in
	0)
        	echo "#############"
	        echo "# 28/02/2010 #"
        	echo "#############"
	;;
	1)
		echo "== Add Rules =="
		echo -n "IP Source >> "
			read IPSOURCE
                if ${IPTABLES}|> -t nat -L PREROUTING --line-numbers | ${GREP}|> -w ${IPSOURCE}|> >/dev/null 2>&1; then
                	echo "IP Source is already configured, please remove it before"
			exit
		fi
		echo -n "IP Destination >> "
			read IPDESTINATION
		echo "-------------------------------"
		echo "Apply this Rules, Traffic destined ${IPSOURCE} redirect to ${IPDESTINATION} ? (Y/N)"
		echo -n "  >> "
			read APPLY
		echo
		if ! [ "${APPLY}" = "Y" ]; then
			echo "You have not validated, rules not add"
			exit
		fi
		${IPTABLES}|> -A PREROUTING -t nat -j DNAT -d ${IPSOURCE}|>/32 --to ${IPDESTINATION}|>
		/etc/init.d/iptables save >/dev/null 2>&1
		echo "Success Rules Apply"
	;;
	2)
		echo "== Delete Rules =="
		echo -n "Rules numbers >> "
			read DELRULES
                if ! ${IPTABLES}|> -t nat -L PREROUTING --line-numbers | ${GREP}|> -w ${DELRULES}|> >/dev/null 2>&1; then
			echo "Rules not exist"
			exit
		fi
                echo "Delete this Rules, `${IPTABLES} -t nat -L PREROUTING --line-numbers | ${GREP} -w ${DELRULES} | awk 'BEGIN { FS=" " } { print "Traffic destined to "$6" redirect "$7 }'` ? (Y/N)"
		echo -n "  >> "
                        read APPLY
                echo
                if ! [ "${APPLY}" = "Y" ]; then
                        echo "You have not validated, rules not delete"
                        exit
                fi
		${IPTABLES}|> -t nat -D PREROUTING ${DELRULES}|>
                /etc/init.d/iptables save >/dev/null 2>&1
                echo "Success Rules Apply"
	;;
	3)
		echo "== List Rules =="
		echo "________________________________________________________________________________________________"
		${IPTABLES}|> -t nat -L PREROUTING --line-numbers | ${MORE}|> +2
		echo "________________________________________________________________________________________________"
	;;
	*)
        	echo "---------------------------"
        	echo "Invalid selection"
        	exit
        ;;
esac



Script : xen-nat.sh