WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] iptables in dom0 with bridge: no more outbound connectio

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] iptables in dom0 with bridge: no more outbound connections
From: "Jerry Amundson" <jamundso@xxxxxxxxx>
Date: Sat, 30 Dec 2006 12:59:37 -0600
Delivery-date: Sat, 30 Dec 2006 10:59:29 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=eLV15Uhj2R0q+UgHk7k6Pe3RRIcCLq0JgRmSo5kzczM8X9S2IcTOsa4C7Am2dpzgS1+7EIGYzcM2lmDCBALZzfAhWyrgnuWY4y59JaAVgS+RHf4H7ZSiEJDTqcfXsB/Aes3njuO3CR1zvf49+xoWSdbeQOGxsNQRvkyoqwyami8=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <4596AE10.3040402@xxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20061229162546.1r02ekiiowoos8c8@xxxxxxxxx> <459544F5.7050303@xxxxxxxxx> <20061229184255.q2fqvv8f4gk088s4@xxxxxxxxx> <4596AE10.3040402@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On 12/30/06, Nico Kadel-Garcia <nkadel@xxxxxxxxx> wrote:
Peter Fokkinga wrote:
> Quoting Nico Kadel-Garcia <nkadel@xxxxxxxxx>:
>> Peter Fokkinga wrote:
>>> [...]
>>> Now for the real spooky part:
>>>  1. I booted into dom0 (no xend)
>>>  2. executed `telnet 129.125.14.12 daytime`, it works
>>>  3. started xend
>>>  4. executed `telnet 129.125.14.12 daytime`, it still works (surprise!)
>>>  5. executed `telnet 129.125.14.13 daytime`, it does not work
>> DNS cache, I think.
>
> But I'm using ip adresses, not names? I don't see how DNS fits in
> this picture.
I can't swear to this, but when you use anything to reach out to the
net, it assumes first that the word or name is a hostname, and tries to
look that up. It resolves IP addresses as IP addresses, and DNS names as
IP addresses, and then has to turn that into appropriate local or
gateway MAC addresses based on ARP data, etc., etc., etc. DNS caches
store the information locally, so no additional lookups happen. If it's
not stored locally in your DNS cache, then it tries to do a DNS lookup,
and in your case fails as it tries to look up 129.154.14.13 from your
DNS system.

I don't think a numerical hostname is first resolved as a number, for a
whole bunch of historical and procedural reasons. It still does DNS the
first time.

No, DNS was not invloved in the above case. A quad-octet string would
only be treated by telnet as an IP address.

> Ok, but why is iptables interfering? I'm not refering to eth0 in
> my rules. If I flush iptables after starting Xend everything is fine,
> troubles start the moment I re-activate the rules.
I think because when Xen is running, it's not going through eth0. It's
going through peth0.

ISTR seeing a recent thread explaining that both are involved at times...??

> I get the feeling iptables does not remember its state, so my rule
>   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> has no effect. Kernel modules xt_state and ip_conntrack are loaded.

Depends on your distro. Redhat for example,
"service iptables save" (overwriting /etc/sysconfig/iptables).

jerry

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users