[Xen-users] Xen Scripts & IPTables

["Robert Dunkley" <Robert@xxxxxxxxx>]

Hi Everyone,

 

I have a weird problem with IPTables which I think might be related to something the vif-bridge script is doing.

IPTables wont start, the following non descript error is given  (Line 3 is “*filter”):

Applying iptables firewall rules: iptables-restore v1.3.5: iptables-restore: una'le to initializetable 'filter

 

Error occurred at line: 3

Try `iptables-restore -h' or 'iptables-restore --help' for more information.

                                                           [FAILED]

 

IPTables wont accept even the most basic of config files.

 

The trouble is I think the Xen script is adding additional rules that are not in /etc/sysconfig/iptables. /var/log/messages shows the following:

Oct  8 09:29:59 mrtickle logger: /etc/xen/scripts/vif-bridge: iptables -A FORWARD -m physdev --physdev-in vif1.1  -j ACCEPT failed. If you are using iptables, this may affect networking for guest domains.

 

Is this likely the cause of iptables not starting? That rule is not in my iptables config file, all network scripts in xend-config.sxp are commented out so I assume it must run the script when I start a VM?

 

My config is eth0 -> wanbr bridge

Eth1 -> lanbr bridge

Eth2 -> Dom0Lan

Eth3 -> Dom0Wan

Eth4 – Unused

Eth5 – Unused

Ib0 – Used for Live migration and DRBD disk replication

 

I only want IPTables to run on Eth3. The current config works and both bridges work within HVMs, I just can’t start IPTables, below is my IPTables config file which I think is OK since the Xen server’s near identical partner (Only different IPs and hostname) work fine with the same config file:

 

# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -i ib0 -j ACCEPT

-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT

-A RH-Firewall-1-INPUT -i eth2 -j ACCEPT

-A RH-Firewall-1-INPUT -i wanbr -j ACCEPT

-A RH-Firewall-1-INPUT -i lanbr -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 45022 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900:6000 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

 

 

Any clues to a fix would be much appreciated.

 

Rob

 

The SAQ Group

Registered Office: 18 Chapel Street, Petersfield, Hampshire GU32 3DZ
SEMTEC Limited Trading as SAQ is Registered in England & Wales
Company Number: 06481952

 

http://www.saqnet.co.uk AS29219

SAQ Group Delivers high quality, honestly priced communication and I.T. services to UK Business.

DSL : Domains : Email : Hosting : CoLo : Servers : Racks : Transit : Backups : Managed Networks : Remote Support.

 

Find us in http://www.thebestof.co.uk/petersfield

 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users