Create a bridge

In /etc/networking/interfaces, put a stanza:

# Xen
auto xenbr0
iface xenbr0 inet static
        address 10.0.17.253
        netmask 255.255.255.0
        bridge_ports none
	  

Turn on NAT/forwarding from xenbr0 to eth0

(This is a quick-and-dirty solution. Not suitable for a production server. But quite suitable for a one-week course plaything.)

In /etc/init.d/firewall, put a script (slightly modified from a Debian-administration.org article:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin
WAN_IF=eth0
LAN_IF=xenbr0

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

[ "${1}" = "stop" ] && exit 0

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i !${WAN_IF} -j REJECT
iptables -A FORWARD -i ${WAN_IF} -o ${LAN_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i ${LAN_IF} -o ${WAN_IF} -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o ${WAN_IF} -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i ${WAN_IF} -o ${WAN_IF} -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
	  

Then make it executable, make it run at boot and call it immediately: