|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] iptables in dom0 with bridge: no more outbound connectio
Quoting Peter Fokkinga <peter@xxxxxxxxxxx>:
When I boot into dom0 (Xen 3.0.4 patched to kernel 2.6.16.36), but
without starting xend, things are fine (iptable rules are active
at this point). Yet, after I have started xend (and xenbr0 appears
in my ifconfig output) I am unable to make connections to remote
hosts (dns lookups fail, ping to ip addresses fail, etc). Strange!
Turned out to be an iptables configuration issue.
This is the minimal firewall that _doesn't_ work in dom0:
iptables -F
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
The same, but _working_ when the xenbr0 bridge is active:
iptables -F
iptables -A FORWARD -m physdev --physdev-out vif+ -p tcp --dport ssh
-j ACCEPT
iptables -A FORWARD -m physdev --physdev-out vif+ -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out vif+ -j DROP
A small issue arose at activating the firewall at boot, the firewall
script would fail when started right after starting xend. Adding
"ifdown eth0 ; ifup eth0" to the start of the firewall script solved
this. This may be specific to the hardware though (infamous Broadcom
NetXtreme II BCM5708 NIC).
Cheers, Peter
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
<Prev in Thread] |
Current Thread |
[Next in Thread> |
- Re: [Xen-users] iptables in dom0 with bridge: no more outbound connections,
Peter Fokkinga <=
|
|
|
|
|