WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] ssh issues on DomU

from [Andrew McGlashan] [Permanent Link][Original]
To: Heiko Wundram <modelnine@xxxxxxxxxxxxx>
Subject: Re: [Xen-users] ssh issues on DomU
From: Andrew McGlashan <andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 02 Apr 2011 03:20:30 +1100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 01 Apr 2011 09:22:44 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4D95D774.9070506@xxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: Affinity Vision Australia Pty Ltd
References: <4D94006E.6050508@xxxxxxxxxxxxxxxxxxxxx> <20110331072304.GA6125@xxxxxxxx> <4D945E71.7070709@xxxxxxxxxxxxxxxxxxxxx> <20110331112458.GB6125@xxxxxxxx> <4D946F95.8010907@xxxxxxxxxxxxxxxxxxxxx> <p0624080dc9ba263d117b@xxxxxxxxxxxxxxxxxxxxxx> <4D95D5F9.5040208@xxxxxxxxxxxxxxxxxxxxx> <4D95D774.9070506@xxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.24 (Windows/20100228) 
Hi,

Heiko Wundram wrote:

Do you have any firewall in place that might be dropping connections ?

No, the closest thing would be the standard iptables rules on Dom0 ...
but it looks "okay" to me.


It isn't.


Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.1
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif3.1
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif3.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in peth1


These rules basically say that any traffic coming in from anywhgere (the
outside) and being directed towards your DomU is only valid if it is
part of an existing connection (see the state RELATED,ESTABLISHED on the
physdev-out matches, which are driven by the stateful xtables match of
the Dom0 kernel), whereas the DomU is allowed to do any traffic (see the
physdev-in match).
The DomU machine can host a website, no problem. It can reply to pings sent to it by another machine on the 192.168.1.0 network just fine.
ssh works fine for the 192.168.10.201 going through Dom0 in the same manner as http [modem / forwarding -- modem is on 192.168.10.0 network]. 

So, ssh is different from _other_ traffic types for some reason.


The Dom0 is allowed to do traffic to all DomUs, because the packets the
Dom0 generates go through INPUT and OUTPUT, but not through FORWARD. You
might want to check the iptables generation on your Dom0.
I didn't craft the iptables rules on Dom0, it is standard installation with bridged networking setup -- okay, I had to mod the network script for xen, but I didn't fiddle with any iptables rules. 

--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-users] kernel 2.6.37 support for xen dom0, James Dingwall
Next by Date:  RE: [Xen-users] Grub2 xen priority order, Ian Tobin
Previous by Thread:  Re: [Xen-users] ssh issues on DomU, Heiko Wundram
Next by Thread:  Re: [Xen-users] ssh issues on DomU, Erwan RENIER
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy