WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly

from [Christo Buschek] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly
From: Christo Buschek <crito@xxxxxxxxxx>
Date: Thu, 19 Apr 2007 09:43:30 +0200
Delivery-date: Thu, 19 Apr 2007 00:42:12 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <462717BC.6020602@xxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <462717BC.6020602@xxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Hello Maik.

I don't really have an explanation for you, but for me to make iptables
work I had to run 'ethtool -K eth0 tx off' inside the vm and dom0 on the
device. That made iptables work for me.

Maybe it also helps you.

greetinx
Christo

On Thu, 2007-04-19 at 09:18 +0200, Maik Brauer wrote:
> Hello,
> 
> I've installed XEN3.0.4-1 and problems with the IPtables settings.
> Please see below the firewall settings for Domain0:
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     0    --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             mbs-rootsrv         tcp dpt:ssh
> ACCEPT     0    --  anywhere             anywhere            ctstate 
> RELATED,ESTABLISHED
> LOG        0    --  anywhere             anywhere            LOG level 
> warning
> DROP       0    --  anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> But then for example connection which are related to a server request 
> (DNS requests / port53, etc) will be blocked by the firewall.
> Here is an example of an request:
> Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32803 LEN=53
> Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=26.104.239.90 
> DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00 TTL=55 ID=44193 PROTO=UDP 
> SPT=31178 DPT=1026 LEN=373
> Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32804 LEN=53
> Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.100.100 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32805 LEN=53
> Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32803 LEN=53
> Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32804 LEN=53
> 
> 
> When I flush the Iptables or I will put in each request then everthing 
> is working fine. But you never now which server will answer to a 
> request, so it is
> impossible to configure all ip-addresses. This should be done due to the 
> line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> which is unfortunately not working.
> 
> What is the problem and the solution ?
> Many Thanks.
> 
> Kind Regards,
> Maik Brauer
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] XEN 3.0.4-1 / Iptables is not working properly, Maik Brauer
Next by Date:  [Xen-users] exec of init (/sbin/init) failed!!!: No such file or directory, Emre ERALTAN
Previous by Thread:  [Xen-users] XEN 3.0.4-1 / Iptables is not working properly, Maik Brauer
Next by Thread:  Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly, Maik Brauer
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy