WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] so close! just an iptables rule away.....?

from [Rob Dyke] [Permanent Link][Original]
To: Michael Best <mbest@xxxxxxxxxxxxx>
Subject: Re: [Xen-users] so close! just an iptables rule away.....?
From: Rob Dyke <robdyke@xxxxxxxxx>
Date: Sun, 4 Dec 2005 20:24:01 +0000
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 05 Dec 2005 07:34:10 +0000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:subject:date:to:x-mailer:from; b=EF2p+39QzR0y4j4N+p7Ph6nD7IpoWHBu6Ax2RP3GshhMj7J82y0pb/0ADiPjPXoRJS9xMAmm/b57Fdn6lf4epKx5z2kAbzWlg1tHfs/S75H4jyrYeasG/n1r6Zj+mOktC0TJgCP3SeHZnDGqMkSahx5eG5qnVm3ZZ0pt2ZxDU+M=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <438D2CC3.70103@xxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <438D2CC3.70103@xxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Thanks Michael. I'll give them your modification a go and report back.
/rob

On 30 Nov 2005, at 04:38, Michael Best wrote:


Hi,
# iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination 8216 809K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev- in eth1 ! --physdev-out eth1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match ! --physdev- in eth1 --physdev-out eth1
The big problem is in the FORWARD chain, the first rule in this chain says jump to the chain RH-Firewall-1-INPUT and then the subsequent rules are ignored.
So for instance in my example system my domU is on bridged interface vif3.0 in order add the ACCEPT iptables line *before* the jump to RH-Firewall I had to drop that rule and then insert it back in. 

iptables -D FORWARD -j RH-Firewall-1-INPUT
iptables -A FORWARD -m physdev --physdev-in vif3.0 -j ACCEPT
iptables -A FORWARD -j RH-Firewall-1-INPUT
Same basic approach for you, just make sure your rules come before the jump or drop that rule and then add it back in after the rule changes are done.
I modified my /etc/xen/scripts/vif-common.sh to do this for me. The patch appeared in my last post. 

-Mike

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Xen-users] so close! just an iptables rule away.....?, Rob Dyke <=
Previous by Date:  Re: [Xen-users] how can i run X (gnome) in xen., wmarvel
Next by Date:  RE: [Xen-users] i386 domU on amd64 (xen-unstable), Petersson, Mats
Previous by Thread:  Re: [Xen-users] how can i run X (gnome) in xen., wmarvel
Next by Thread:  RE: [Xen-users] i386 domU on amd64 (xen-unstable), Petersson, Mats
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy