WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] dom0 iptables

from [Fajar A. Nugraha] [Permanent Link][Original]
To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] dom0 iptables
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Date: Tue, 5 May 2009 10:48:45 +0700
Delivery-date: Mon, 04 May 2009 20:49:24 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <003f01c9ccf0$6e925170$4bb6f450$@com>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <AcnM8G0RIr1cCG4WSCWfMG+wSjwFqg==> <003f01c9ccf0$6e925170$4bb6f450$@com>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
On Tue, May 5, 2009 at 2:42 AM, Mark Chaney <macscr@xxxxxxxxxx> wrote:
> Ok, I am setting up a new dom0 at a colo provider and usually the colo
> facility acts as my gateway, but at this new one, the provider is
> recommending that I use the server as its own gateway. That unfortunately
> doesnt work to well when it comes to iptables and my domU's. IPtables do not
> support virtual interfaces, so I can't just white list them unfortunately.

If I recall correctly, xen network bridge whitelist domUs by default.
Something like

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-in vif2.0

You can use domU's vif interface as physdev. When setting up iptables
manually, it might be easier to use custom vif name using
"vifname=NAME" on vif line.

>
> I have tried these two rules, but no difference:
> iptables -I INPUT 1 -d 207.xxx.xxx.0/30 -j ACCEPT
> iptables -I OUTPUT 1 -s 207.xxx.xxx.0/30 -j ACCEPT

I believe that should be on FORWARD

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Increasing network performance on Windows DomUs, Fajar A. Nugraha
Next by Date:  [Xen-users] PV drivers for SCSI access ?, Riccardo Veraldi
Previous by Thread:  [Xen-users] dom0 iptables, Mark Chaney
Next by Thread:  Re: [Xen-users] Increasing network performance on Windows DomUs, Fajar A. Nugraha
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy