WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] iptables and state matches (established, related)

from [Tomas Lund] [Permanent Link][Original]
To: Andrey Oreshnikov <elride@xxxxxxxxx>
Subject: Re: [Xen-users] iptables and state matches (established, related)
From: Tomas Lund <tlund@xxxxxx>
Date: Fri, 20 Apr 2007 13:18:43 +0200 (CEST)
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 20 Apr 2007 04:17:34 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <c8749d500704100344n14cbf826x3cb70dc77373ce97@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <c8749d500704100344n14cbf826x3cb70dc77373ce97@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
On Tue, 10 Apr 2007, Andrey Oreshnikov wrote:
I use xen-3.0.4_1 ( linux-2.6.16.33 ) and have some promblem with it and iptables. I installed both from source and from rpms for Suse. The problem is in both.
The iptables state match don't work in INPUT and OUTPUT chains but work in FORWARD chain. For example rule 

iptables  -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

don't match any packets in established connection.

Necessarily modules are loaded

# lsmod | grep conntrack
ip_conntrack_ftp       12144  1 ip_nat_ftp
ip_conntrack           58584  3 ip_nat_ftp,ip_nat,ip_conntrack_ftp
nfnetlink              10520  2 ip_nat,ip_conntrack

# cat /proc/net/ip_conntrack
tcp 6 186909 ESTABLISHED src=192.168.0.170 dst=192.168.0.124 sport=29664 dport=22 packets=1 bytes=52 [UNREPLIED] src=192.168.0.124 dst=192.168.0.170 sport=22 dport=29664 packets=0 bytes=0 mark=0 use=1 

This rule work fine:

IPTABLES   -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
In xen-3.0.2 from sles distribution this problem is absent. any suggestion? 

I can confirm the problem Andrey is describing.
When I try to connect to an external host, the "SYN_SENT" state does not show up in /proc/net/ip_conntrack and the SYN+ACK packet from the external host is dropped. (The "SYN_SENT" state is what allows the iptables "ESTABLISHED" match to occur.)
Before starting XEN (and the briding) it works with the same iptables rules. (See rules below)
I'm not sure this really has anything to do with XEN, but rather how the bridging works, but I "hope" that other people on this list has the same problem, and possibly someone has even found a solution? 

Sample commands to reproduce the problem:

iptables -F
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
telnet [host] [port]

//tlund


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly, Tomas Lund
Next by Date:  [Xen-users] standard router in DOMU, Roberto Pereyra
Previous by Thread:  [Xen-users] iptables and state matches (established, related), Andrey Oreshnikov
Next by Thread:  Re: [Xen-users] iptables and state matches (established, related), John Hannfield
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy