Well now we're moving along...
Maybe this question would be better answered in the netfilter list, but I
thought I'd try here first.. with the same scenario I described below, I
enabled "antispoofing" and things broke when trying to get anywhere past the
dom0. I can get between the domU and dom) just fine, but the domU can't get
out to the Internet.
It seems that once things get past pdummy0, they are getting blocked at dummy0.
iptables is logging the following types of dropped packets.
outbound test:
Jul 29 10:42:15 xxx kernel: IN=dummy0 OUT=eth1 SRC=domUIP DST=externalIP LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=28148 DF PROTO=TCP SPT=40749 DPT=80 WINDOW=5840
RES=0x00 SYN URGP=0
inbound test:
Jul 29 10:46:40 xxx kernel: IN=eth1 OUT=dummy0 SRC=externalIP DST=domUIP LEN=60
TOS=0x00 PREC=0x00 TTL=111 ID=35261 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=8260
where domUIP is the IP address of my domU, and externalIP is an IP address of
something outside of my network.
I'm not sure how I can premit these packets to go through without compromising
the anti spoofing setup... if I accept everything that is coming in from dummy0
or going out through eth1, won't that pretty much un-do what the anti spoofing
chains did?
Once again, any suggestions or pointers will be helpful.. :)
This is my current iptables setup
# /sbin/iptables -L -v -n
Chain INPUT (policy ACCEPT 4586 packets, 402K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:67
Chain FORWARD (policy DROP 130 packets, 7936 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in pdummy0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif0.1
0 0 ACCEPT all -- * * dom0IP 0.0.0.0/0
PHYSDEV match --physdev-in vif1.0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif1.0 udp spt:68 dpt:67
274 21408 LOGDROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4266 packets, 672K bytes)
pkts bytes target prot opt in out source destination
Chain LOGDROP (1 references)
pkts bytes target prot opt in out source destination
274 21408 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 4
274 21408 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
----- Original Message -----
From: "Kristofer" <kristofer@xxxxxxxxxxxxxx>
To: "Kristofer" <kristofer@xxxxxxxxxxxxxx>
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Sent: Tuesday, July 29, 2008 12:47:42 AM GMT -06:00 US/Canada Central
Subject: Re: [Xen-users] Networking with a subnet
Well I feel completely stupid. After a few days of messing with
this.... I shouldn't even admit how dumb this was.
I have a /29.. I was using .240 on the dummy0 interface on dom0.. Uhh,
yeah.. I can't do math and realize that .240 was the network
address. :-\
Oops. Setting dummy0 to .241, which is the correct first address of
the subnet, and things are now routing.
*sigh*
On Jul 28, 2008, at 8:23 PM, Kristofer wrote:
> I have been trying for a couple days to try to get this to work, and
> I'm stumped. I've seen wiki's on how people do it, but I must
> completely be missing something.
>
> My provider gives me two network connections:
>
> eth0: private
> eth1: public
>
> My eth1 interface has a /29, and I am also getting an additional /29
> routed to me (so they are routing it to the IP address that is set
> on my eth1 interface). So I have two /29's, one which is currently
> bound to eth1 (subnet A), and one which is just routed to me and not
> bound (subnet B). I only want to use one of these /29's for
> domU's.. the one that is being routed to me (subnet B)
>
> I want to bridge subnet B with my Xen domU's. I took one IP from
> subnet B and assigned it to "dummy0", and I can ping it from the
> outside world, bind to it and make connections outbound, and all is
> well.
>
> However, I cannot get DomU's to communicate with anything (not even
> the dom0) if they use an IP address from subnet B.
>
> "brctl status" shows that xenbr1 is connected to vif0.1 and pdummy,
> and that vif1.0 is also bound to it.
>
> bridge name bridge id STP enabled interfaces
> virbr0 8000.000000000000 yes
> xenbr1 8000.feffffffffff no vif1.0
> pdummy0
> vif0.1
>
> Now, given that I am trying to do a network install of CentOS on the
> guest, I can't actually get into the shell and do an "ifconfig" or a
> "tcpdump" as I don't have any domU's that are created that I can
> attach to a console, so my troubleshooting is limited to the dom0
> side.
>
> I've check iptables, and nothing is set to be dropped/rejected.
>
> xenbr1 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
> UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
> RX packets:60 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:10140 (9.9 KiB) TX bytes:0 (0.0 b)
>
> vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
> inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
> UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
> RX packets:7 errors:0 dropped:0 overruns:0 frame:0
> TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:32
> RX bytes:412 (412.0 b) TX bytes:1008 (1008.0 b)
>
> pdummy0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
> inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
> UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:9276 (9.0 KiB)
>
> dummy0 Link encap:Ethernet HWaddr B6:CE:E7:E8:3E:9C
> inet addr:208.x.x.x Bcast:208.x.x.x Mask:255.255.255.248
> inet6 addr: fe80::b4ce:e7ff:fee8:3e9c/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 b) TX bytes:9462 (9.2 KiB)
>
> tcpdump's are not showing any traffic on xenbr1, vif1.0, pdummy0, or
> dummy0. I'm not even sure if tcpdump will show anything on
> interfaces like that. I am also showing nothing on eth1 for
> anything coming from this domU I am trying to install.
>
> I'm at a loss?
>
>
> Kristofer
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|