Re: [Xen-users] ssh issues on DomU

[Andrew McGlashan <andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx>]

  -- re-sending, I've still got this problem of connections sometimes
  working and sometimes not.  I can try repeatedly without changing
  any settings and sometimes it will finally work.

  Extra info added.
  -----------------------------------------------------------

Hi,

Andrew McGlashan wrote:
> > These rules basically say that any traffic coming in from anywhgere (the
> > outside) and being directed towards your DomU is only valid if it is
> > part of an existing connection (see the state RELATED,ESTABLISHED on the
> > physdev-out matches, which are driven by the stateful xtables match of
> > the Dom0 kernel), whereas the DomU is allowed to do any traffic (see the
> > physdev-in match).
Okay, I turned off anti spoofing in the xen network bridge setup;  now 
it works -- however, sometimes I need to try a few times before it connects.
Anti spoofing set the default FORWARD policy to DROP.

 -- extra info below this line --

Dom0
====

[Output edited for readability]

#  iptables -L
Chain INPUT (policy ACCEPT)
   target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination
   ACCEPT     all  --  anywhere             anywhere
   state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif2.1

   ACCEPT     all  --  anywhere             anywhere
   PHYSDEV match --physdev-in vif2.1

   ACCEPT     all  --  anywhere             anywhere
   state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif2.0

   ACCEPT     all  --  anywhere             anywhere
   PHYSDEV match --physdev-in vif2.0

   ACCEPT     all  --  anywhere             anywhere
   state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.0

   ACCEPT     all  --  anywhere             anywhere
   PHYSDEV match --physdev-in vif1.0

   ACCEPT     all  --  anywhere             anywhere
   state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.1

   ACCEPT     all  --  anywhere             anywhere
   PHYSDEV match --physdev-in vif1.1

Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination


#  brctl show
bridge name     bridge id               STP enabled     interfaces
eth0            8000.0011258e355e       no              peth0
                                                        vif1.0
                                                        vif2.0
eth1            8000.0011258e355f       no              peth1
                                                        vif1.1
                                                        vif2.1


DomU
====
#  iptables -L
Chain INPUT (policy ACCEPT)
   target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination


#  netstat -an|grep 22|grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN



No IPV6 is configured on these machines at this time fwiw.


Connecting via a modem with port forwarding works 100% of the time 
without troubles (from allowed IP addresses).
I am using /etc/hosts.allow and /etc/hosts.deny to restrict access, but 
the intermittent connections don't show this as an issue.
Relevant /etc/hosts.allow from the "other" network, the one that can 
connect intermittently.
sshd: 192.168.

  NB: there are other allowed hosts, but they are not having any
  problems [coming in via the modem and with port forwards directly
  to DomU]

/etc/hosts.deny relevant entry:

sshd: ALL




Thanks.

--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users