[Xen-devel] Re: Qestion about the Xen network?

To:	Paolo Bonzini <pbonzini@xxxxxxxxxx>
Subject:	[Xen-devel] Re: Qestion about the Xen network?
From:	Bei Guan <gbtju85@xxxxxxxxx>
Date:	Sat, 23 Oct 2010 23:27:12 +0800
Cc:	Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>, Xen Devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date:	Sat, 23 Oct 2010 08:27:57 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=0Pqx62fJ+HH/26UYwvVm7wPenxROUosvF7y16pbkCec=; b=RFrF4drk3DaTsrX0X+qmBBKoldf7uVenioGGjpITLMp09Xd5dpv+tgvDx3iB98BWSP N0iF3XZdNpN6unMr9H7qRIZsNEQ0xHfBmYbrqpHq3PI6PUmDyT643hXLDL7B12FhEmxP 7WHRU8ai9glntFESAnzAYBwS6kUJEcmOS/kuc=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=GHmXRKQIqMSMjv+KopLw4hEb2U2BESBgO0PQ1F0GZOfdyjL1i0KIxZMp7yVtRo0vZ2 TDkrEOpEN7Kdtmm9bc7GV3lBAFqDhAL8NiyNmWdGStMcKLZtlNCm2cyXWjmMRA5QC/Bi oykIvKNH44zVx9jKbc6ilfZ4ICO/Yw/2Hccl4=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<4CC20F8B.2080109@xxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<AANLkTikju8iBPZ+RTNOnCsOfpCvQwcxi3c0+pHFb_6+F@xxxxxxxxxxxxxx> <AANLkTinasTvF_+fOmomuyEJ10c6RpD_dRKoBbxwEHKji@xxxxxxxxxxxxxx> <20101022150437.GF5227@xxxxxxxxxxxxxxxxxxxxxxx> <AANLkTin63QQ68jkZ9B1W-VZizOHt=hKbBUMmxLiHkWO7@xxxxxxxxxxxxxx> <AANLkTimaqsxJU26MMLTshVVCrRWZ2ZmNkL68NQS1u1gH@xxxxxxxxxxxxxx> <4CC20F8B.2080109@xxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

2010/10/23 Paolo Bonzini <pbonzini@xxxxxxxxxx>

On 10/22/2010 05:50 PM, Bei Guan wrote:

My Dom0 (fedora 8) iptables /etc/sysconfig/iptables

This is only half of your configuration. Libvirt is creating virbr0 and adding iptables rules to connect it to the outside world via NAT (the 192.168.122.x subnet). iptables -L can show those rules.

Sorry, my Dom0 (fedora 8) iptables configuration is as following.

[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp -- anywhere             anywhere            udp dpt:domain
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:domain
ACCEPT     udp -- anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:bootps
RH-Firewall-1-INPUT all -- anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all -- anywhere             localhost/24        state RELATED,ESTABLISHED
ACCEPT     all -- localhost/24         anywhere
ACCEPT     all -- anywhere             anywhere
REJECT     all -- anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all -- anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all -- anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all -- anywhere             anywhere
ACCEPT     icmp -- anywhere             anywhere            icmp any
ACCEPT     esp -- anywhere             anywhere
ACCEPT     ah   -- anywhere             anywhere
ACCEPT     udp -- anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp -- anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:ipp
ACCEPT     all -- anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp -- anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp -- anywhere             anywhere            state NEW tcp dpt:nfs
ACCEPT     tcp -- anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp -- anywhere             anywhere            state NEW tcp dpt:telnet
ACCEPT     tcp -- anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp -- anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp -- anywhere             anywhere            state NEW tcp dpt:smtp
REJECT     all -- anywhere             anywhere            reject-with icmp-host-prohibited

Paolo

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

WARNING - OLD ARCHIVES

xen-devel

[Xen-devel] Re: Qestion about the Xen network?