WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] IPtables working on domU but not dom0

Hello Lyle,

Xen schrieb:
>   Can someone send me an example of their IPtables configuration file for
> dom0 so I can see how they have set it?
> 

on my system dom0 acts as a gateway vor the domu that are in a /28.
I'm no expert on this. But as far as I can tell, it works.

I changed the real IP addresse to fantasy addresses:

/sbin/iptables -P FORWARD DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t filter -F
/sbin/iptables -t filter -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/modprobe ip_conntrack_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -N clean
/sbin/iptables -A clean -p udp --dport 135:139 -j DROP
/sbin/iptables -A clean -j LOG --log-prefix "Rejected " -m limit --limit 1/sec
/sbin/iptables -A clean -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A clean -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A clean -j DROP
/sbin/iptables -A INPUT -j DROP -m state --state INVALID
/sbin/iptables -A INPUT -j ACCEPT -i lo
/sbin/iptables -A INPUT -j DROP -s 10.0.0.0/8
/sbin/iptables -A INPUT -j DROP -s 172.16.0.0/12
/sbin/iptables -A INPUT -j DROP -s 192.168.0.0/16
/sbin/iptables -A FORWARD -j DROP -m state --state INVALID
/sbin/iptables -A FORWARD -j DROP -s 10.0.0.0/8
/sbin/iptables -A FORWARD -j DROP -s 172.16.0.0/12
/sbin/iptables -A FORWARD -j DROP -s 192.168.0.0/16
/sbin/iptables -A FORWARD -j ACCEPT -s 79.32.11.160/28
/sbin/iptables -N in_main
/sbin/iptables -A in_main -j ACCEPT -m state --state ESTABLISHED,RELATED
/sbin/iptables -A in_main -j ACCEPT -p icmp ! --icmp-type redir
/sbin/iptables -N fwd_main
/sbin/iptables -A fwd_main -j ACCEPT -m state --state ESTABLISHED,RELATED
/sbin/iptables -A fwd_main -j ACCEPT -p icmp ! --icmp-type redir
/sbin/iptables -A in_main -i eth0 -m multiport -s 21.34.1.62 -d 213.95.21.8 -p 
tcp --dport 22 -j ACCEPT
/sbin/iptables -A in_main -i eth0 -m multiport -s 21.34.28.2 -d 213.95.21.8 -p 
tcp --dport 22 -j ACCEPT
/sbin/iptables -A in_main -i eth0 -m multiport -s 79.32.11.160/28 -d 
79.32.11.161 -p tcp --dport 111 -j ACCEPT
/sbin/iptables -A in_main -j clean
/sbin/iptables -A INPUT -j in_main
/sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.163 -p tcp --dport 
http,ftp -j ACCEPT
/sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.164 -p tcp --dport 
8080,8090 -j ACCEPT
/sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.165 -p tcp --dport 
http,https -j ACCEPT
/sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.162 -p tcp --dport 
smtp,imap2,imaps -j ACCEPT/sbin/iptables
-A fwd_main -i eth0 -m multiport -d 79.32.11.160/28 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.166 -p tcp --dport 
52456 -j ACCEPT
/sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.166 -p tcp --dport 
4661,4662 -j ACCEPT
/sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.166 -p udp --dport 
4665 -j ACCEPT
/sbin/iptables -A fwd_main -i eth0 -m multiport -s 21.34.1.62 -d 79.32.11.166 
-p tcp --dport 4080,4001 -j ACCEPT
/sbin/iptables -A fwd_main -i eth0 -m multiport -s 21.34.28.2 -d 79.32.11.166 
-p tcp --dport 4080,4001 -j ACCEPT
/sbin/iptables -A fwd_main -i eth0 -m multiport -s 79.32.11.160/28 -j ACCEPT
/sbin/iptables -A fwd_main -j clean
/sbin/iptables -A FORWARD -j fwd_main

Greetings Roman


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>