| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] vifs and networking
root wrote:
Thanks, that helped a lot, I am back to a "flat" network all 7 vif's
talking to xen-br0, 4 DHCP IP addresses, all 3 domU's pinging each other
and dom0 and the outside world.
I tried to connect vif1.1 and vif2.1 to the bridge xen-brDMZ and vif1.2
and vif3.1 to the bridge xen-brINT. I got some error that iptables was
not installed. I activated iptables 1.2.11 (Fedora Core 3 for dom0 and
all three domU's) in both dom0 and domU. Now in dom 0 and domU I get:
FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
When I boot to the non-xen kernel iptables is started and enter
iptables -L it shows the rules. When I boot to xen0, or any domU,
kernel the status of iptables is stopped. Restart and iptables -L i get
the above error.
The default configs for our dom0 and domU kernels has CONFIG_KMOD set
which should allow the relevant modules to be automatically loaded when
the iptables command is run.
Can you check you have the modules installed in dom0 correctly and that
/lib/modules/2.6.11.11-xen0/kernel/net/ipv4/netfilter/ (varied for your
kernel version) is full of modules including ip_tables.ko and
iptables_netfilter.ko. You could also try a 'depmod -a' and reboot.
Our default domU config doesn't include netfilter so rebuild the domU
kernel (remember to use ARCH=xen in all Linux 'make' invocations) to
include the required options. (You should also be able to use a dom0
kernel and /lib/modules tree for a domU. The former has the needed
netfilter modules.)
Is there a step-by-step on how to get iptables running on dom0 and
domU?
In general setting up iptables is the same on Xen domains as it is on
multiple physical boxes. The main gotchas are:
1. The interface that dom0 sees as it's external interface is the name
of the bridge it attaches to (usually xen-br0).
2. The bridging in dom0 interacts with iptables. Even bridged packets
traverse some chains (this will apply to non-xen boxes using Linux
bridging too).
Thanks again this forum is indispensable.
Even more so if you reply to the list rather than just to me :-). Please
can you post with a legitimate email address rather than
root@xxxxxxxxxxxxxxxxx
(I could put a firewall box in front of of this 4 OS box, but I think
there has to be a way to get this DMZ to work on one box in xen. [I
this multi zoned network working on one box in VMWare 5.0])
James
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home