This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] iptables filtering when bridging

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-devel] iptables filtering when bridging
From: David <big.raiders.fan@xxxxxxxxx>
Date: Wed, 9 May 2007 10:04:37 -0400
Delivery-date: Wed, 09 May 2007 07:03:01 -0700
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=QHVJWLXF78klk8UhByWUWDgqga5q6Zmsp8pJXOGG6zmbePD1VZMfpR52QBrl1U+maIuYu/4AVxTV8z3DIYcBRQPchFlDqoYhL4Xyy577TuTlDvfU0WQRbf3qxHXVtz1ra2QJGppXaVY7HErZDTsnk4nO6mlPqAK4QU+jVjO6pbQ=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=cyYaCf/HnB79HjaupEJ8wanRMCsSd3VH8S+2lW41VXSfxE+FaxaHXeNgm62LuRMr7F8FOxpPB6FW2O/7s8i1MSizLLkjMxQRVepXSMBmpVBGytcT+8cme9nPUvqCJSlZhJ5TMSsPsRzqXJeQhxnmmn8Zr6UBeJ2R5M+PM4gE+bA=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Still sort of new to Xen, and have been playing around with it bridging ethernet traffic between Dom0 and DomU.  I'm trying to figure out how to have iptables filtering performed in Dom0 when bridging.

I've found some references to using the following command:
ebtables -t broute -A BROUTING -p ipv4 --ip-proto 6 --ip-dport 80 -j redirect --redirect-target ACCEPT

(For now, I just want to filter Web traffic).

Using the above rule, and logging the ebtables and iptables traffic, I see that traffic is going into the ebtables' Filter table's Input chain, but then I see no activity after that.  The Web browser in DomU never sees any packets.  Based on http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png, the packet appears to be going the right way, but I can't make it go any further.

Is it possible to have the packets go through the iptables Filter tables in Dom0?  What I'd eventually like to get to is running squid in Dom0 to proxy and filter Web traffic, but I cannot seem to get the traffic to flow properly when in bridging mode.  Based on other searches, I've tried (with squid configured and running in Dom0):

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

This does not seem to work.  Any insight into how to get this working would be appreciated.
Xen-devel mailing list
<Prev in Thread] Current Thread [Next in Thread>