NAT with xen ?'s
 

Can anyone tell me if xen can port forward? I am doing a work study project for my school and need to create a Linux VM for each student in the Unix class so they can administer their own OS as part of the class. Since IT dept and work study are seperate I can't ask them to port forward on the default gateway. All I get is one server that can go in the DMZ and one public IP. Students need to ssh into their OS/VM to do their work since its a command line only class rdp or vnc is not used plus no GUI for overhead reasons. I want to use NAT obviously so each machine can access the internet for apt-get and updates etc.. but with only one public IP and not being able to port forward on the default gateway ssh becomes a problem. These vm 's aren't visible nor will they get internal network logins one reason being they use barracuda and its a GUI login secondly they won't give me the logins to use or port forward to my VM's. Tell me if I'm right here. My only option is to assigns each VM a unique unassigned port to use ssh and get xen to forward to that port on said machine. So for example my public IP is say 1.1.1.1 and my VM1 used port 46001 for ssh and has a static ip of 123.123.123.1 then to reach VM1 I need to from a remote CPU ssh user@1.1.1.1:46001 and xen which is the 1.1.1.1 physical machine needs to forward the request for port 46001 to my private 123.123.123.1 VM IP internally. VM2 would be port 46002 for ssh and have IP 123.123.123.2. Again xen would need to forward requests for that port to VM2's static IP and Vm2's port 46002 which again is configured as ssh on that machine. Will this work and can can xen forward like a router to the VM's its running to accomplish this? Is there a better solution given my constraints? Please don't say ec2 as I know this would be easier but too much red tape for the dept to make proposals etc.. so it has to be done with no cost one public IP one server in a DMZ. By the way if xen can port forward for me instead of having the VM's on the network and having the default gateway do it then please tell me what file or where this setup is done in xen.

When you say xen I'm a little unclear on what exactly you mean by that. It sounds like you are trying to have a physical server's xen hypervisor perform nat. While I've not actually tried a xen hypervisor before I would be mildly surprised if it did offer that feature.

I would set up a virtual machine with 2 virtual nics to act as a nat router, and allocate one of those vnics on that VM to be in the DMZ and then have that virtual machine do all of the nat you want, and you can use your favourite distro to do this. Or if you are only going to be using ipv4 and a small number of students you can have a VM with something like smoothwall in it, as it is a simple purpose built distro for this sort of thing. The physical server would then only have a private IP address to access its configuration, but you would have complete control over the thing doing nat on that DMZ IP address.

If you have a lot of students you may want to use your favourite distro and standard iptables rules to do the forwarding as it is easier to generate a lot of very similar lines of text than clicking heaps of times. I personally like doing this sort of thing with a spreadsheet program, then paste in to a plain text editor and use the search and replace to remove all the tabs. You may need to copy a tab character and paste it in to the search field as pressing tab will usually just move your cursor to the next box.

We actually operate in this way at my work. With the modem/router just pointing it's exposed host (aka DMZ) function to a virtual machine and from that VM we do any port forwarding and a few other things.

the physical nic in the server can be thought of as one of the ports in a network switch
and the hypervisor configuration interface is just a virtual nic "plugged" in to another port on that network switch.
I find that the ESXi diagram a good representation of what is going on. the verticle grey bar is a vSwitch
http://download.openegg.org/temp/ESXi-Network.PNG
usually the hypervisor os does some handy load balancing and failover if the physical server has more than one nic, so you can plug all of the cables in to the physical switch to access higher bandwidth. In this situation all of physical cables in that group can be thought of a single "fatter" cable.

This way you physical server has a private IP address like 192.168.42.1 on a /24 subnet.
The WAN interface vnic of your virtual nat machine has the public IP address of 1.1.1.1
The LAN interface vnic of your virtual nat machine has the private IP address of say 10.0.0.1 in say a /24 or /16 or /8 subnet, depending on how many student virtual machines there are.
Each of the student's VM has a fixed private IP on the same subnet as the LAN interface of the virtual nat machine and a port forward on the virtual nat machine mapped to their ssh port.

Then if the students want to access other ports on their server they can use ssh tunnelling.

For security I would recommend that there be at least 3 virtual switches. These would contain
1 - hypervisor config vnic with its own dedicated physical nic(s) connected to a switch that you can use to perform config from
2 - WAN interface vnic with its own dedicated physical nic(s) connected to the DMZ network
3 - LAN interface vnic and - Student VMs vnics

Thank you so much for the response. I posted this on like 4 forums including 2 xen forums with no replies. I think I understand what you mean. I actually mentioned this idea of a VM doing the routing for me but was hoping xen had that capability but no big deal as this will work. The only issue is I won't have a physical switch. Security is not paramount here. its a small technical college with only 15-20 students in this Unix class at a time. Basically I give the physical box a private IP via dhcp on the schools network and create a VM/router with say Ubuntu 12.04 or Debian that does the port forwarding to a subnet thats different from the physical box which is populated by the VM's. Is that right? Each student VM needs to use ssh on a unique unassigned port and have the VM/router port forward. For example ssh requests for port 46001 on vm/router with public ip would be forward to 46001 on VM1 with a private address and student2 would use say port 46002 for ssh and type user@publicipofvmrouter:46002 and that VM/router again is set to forward requests for 46002 to privateipVM2:46002. If you get a chance can you confirm that I am understanding this right given my explanation here. Also that the switch is just a security recommendation and not necessary for functionality.

I think you've got the idea. But just a few notes
- the physical separation of nics to separate switches is only a small security consideration

- the multiple virtual switches are also just a small security consideration that would let you set up some protection of the school network from the activities of the students by changing the outbound rules in your vm/router firewall. You probably do not need to protect the hypervisor's config ip from the rest of the school network, so the above vSwitches 1 and 2 can be combined. The 3rd vSwitch descibed above can still be used to protect the school network from the students. Just have 2 virtual nics in the vm/router, with 1 nic in both vSwitches, and all the student VMs with just 1 nic each, all connected to the student vSwtich. Then set up the vm/router firewall and routing rules to prevent them accessing any IP address ranges they shouldn't.

- the port mapping does not have to pass through to the same port on the student VM.
so public-ip-of-server:port-for-this-student can map to student-vm-ip:22

eg. in the vm/router
1.1.1.1:46001 maps to 192.168.42.1:22
1.1.1.1:46002 maps to 192.168.42.2:22
... etc...
1.1.1.1:46020 maps to 192.168.42.20:22

This way the student VMs can all use the standard SSH port so you don't need to muck around with all of their configs.

Thanks Beowulf for the simplified version of mapping to port 22 on VM's that seems easier then the netcat stuff. As for protecting the school network that's really the IT Dept's job on their gateway. I believe they will do this on their gateway because my server is in their DMZ and is not getting a school login or an IP on the schools subnet so I don't see how the students couple reach anything on the network any more than they could already from the internet. Don't forget even in class we will be accessing the VM's through ssh over the internet via public IP of router not internally using private IP's. If I'm missing a something there feel free to tell me.

glad to help.
Though I've just noticed I've created an IP address clash in my advice.
If the students are going to have IP addresses from 192.168.42.1 to 192.168.42.20 then the physical server xen hypervisor config IP address cannot be 192.168.42.1 and you need to pick another address for that, such as 192.168.42.200

Thanks again. Good catch.