| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Problem start iptables - udp broken (Workaround)
On Wed, 29 Nov 2006, Torsten Lehmann wrote:
>
> - If one has very much time, then one sees also from time to time
> any packets in both directions....
>
> -> udp-packets not blocked generally.
>
> - Why the knot only solved after that to remove the module ip_conntrack?
>
> - to reproduce this problem is sufficient:
> # modprobe ip_conntrack
>
- Workaround: remove ip_conntrack from kernel:
# cd xen-3.0-testing/linux-2.6.16-xen0
# find . -name ip_conntrack.ko -exec rm -f {} \; -print
# find /lib/modules/`uname -r` -name ip_conntrack.ko -exec rm -f {} \; -print
l0# diff .config.old .config
...
< CONFIG_IP_NF_CONNTRACK=m
> # CONFIG_IP_NF_CONNTRACK is not set
l0:# make modules modules_install
l0:# /etc/init.d/netfilter start
Applying iptables firewall rules:
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
- "No chain...": rules which need ip_conntrack
- following rule-set was tested:
$IPTABLES -i $EXTIF -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# -> iptables: No chain/target/match by that name
# "--state" required ip_conntrack
$IPTABLES -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0 -j
domU
$IPTABLES -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0 -j
domU
$IPTABLES -A domU -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL
--log-prefix "IN testdomU: "
# -> iptables: No chain/target/match by that name
# "-m physdev" required ip_conntrack (??)
$IPTABLES -i peth0 -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG
_LEVEL --log-prefix "IN testpeth: "
# -> nomatch...rule not working
$IPTABLES -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL
--log-prefix "IN test: "
# -> match....OK
regards Torsten
Launoc
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home