Re: [Xen-users] iptables problem

To:	Ivan Lisenkov <ivan@xxxxxxxxx>
Subject:	Re: [Xen-users] iptables problem
From:	Sergey Smirnov <sergey.a.smirnov@xxxxxxxxx>
Date:	Wed, 14 Oct 2009 19:37:10 +0400
Cc:	xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Wed, 14 Oct 2009 08:38:32 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=WXGJaYSx6cQO7aKQiIC1twqMeplixxHLX4FUAsIcMgU=; b=s/k6RR4AccLu/XLcTKkQAFfTcGnGYnVom3XHRvcyjIAOv+/Yj6ObyH6hnb9bQDV7nu Qlr1fAipVXoWf9wKDYFedJyiti26DzaQl7clktkSxkp50nrmyUnjgkS6xNEkBZsJQ90r v1h95Hk3oPxEIVTzszFIqKyZpdkhMjBaHAWo4=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=Pot0wZP3t30JT3oyKmyJ6MrOzdfe+tjXyuVPH9bZayy3sDtcsmztdGNDVXg6UR7IjL O2jmkulJ0+Ne3RJGm/MkNYCXAqKYdIwumtYDtuR7koCqe8/4m4bl5adESmES0QSizvLP C9rzI4eDLHeCLLEJAEd8xLSOVLTIsk6uD66Jc=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<47e279b60910130331ib80c667q55e73969a5efda66@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<47e279b60910130331ib80c667q55e73969a5efda66@xxxxxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

Hi Ivan,

maybe you should add the permanent rules in the bottom of your iptables configuration like this? -

-A FORWARD --source domU_ip --jump ACCEPT

-A FORWARD --destination domU_ip --jump ACCEPT

so it will be works in any time without additional rules added by xen scripts.

I use the same configuration.

On Tue, Oct 13, 2009 at 2:31 PM, Ivan Lisenkov <ivan@xxxxxxxxx> wrote:

Dear xen users,

I am using xen 3.3.1 on opensuse 11.1. After creating a domU with 2 nics two iptables rules are created by default:

-A FORWARD -s XX.XX.XX.24/32 -m physdev --physdev-in vif77.0 -j ACCEPT
-A FORWARD -p udp -m physdev --physdev-in vif77.0 -m udp --sport 68 --dport 67 -j ACCEPT
-A FORWARD -s XX.XX.XX.25/32 -m physdev --physdev-in vif77.1 -j ACCEPT
-A FORWARD -p udp -m physdev --physdev-in vif77.1 -m udp --sport 68 --dport 67 -j ACCEPT

The rules seems logical, but one of them does no work! I can't ping XX.XX.XX.24 from outside. But if I change the rule manulally to:

-A FORWARD -s 188.40.226.24/32 -m physdev --physdev-in vif77.1 -j ACCEPT

everything works. This seems unlogical, because first ip is bounded to second nic, but works. The problem is that I have to change the rules every I reboot domu.

Any ideas how to fix it?

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

--
Serg Smirnov
email/xmpp: Sergey.A.Smirnov@xxxxxxxxx

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Previous by Date:	[Xen-users] rebased opensuse 2.6.31 xen patches, Andrew Lyon
Next by Date:	RE: [Xen-users] iptables problem, Dustin Henning
Previous by Thread:	[Xen-users] iptables problem, Ivan Lisenkov
Next by Thread:	RE: [Xen-users] iptables problem, Dustin Henning
Indexes:	[Date] [Thread] [Top] [All Lists]

WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] iptables problem