On Fri, Nov 07, 2003 at 10:53:59PM +0000, Ian Pratt wrote:
>
> > > I'm afraid I'm not entirely surprised that xen_nat_enable doesn't
> > > play well with your firewall.
> >
> > I'll do a little more diagnosis in the future. What I think
> > happened, though, is that the NAT's nat* rules somehow discarded
> > the filter* rules. I was also getting some complaints about
> > mangle* needing to load the iptables module, which was not found
> > (this was when I was trying to re-add my default rules).
>
> I fear the xen_nat_enable script basically does a 'flush all
> rules' to start with. Someone who understands iptables better
> should be able to fix this...
Aha....easy to do. I just commented out the lines that flush
the existing filter rules in xen_nat_enable:
# run_iptables -t filter -F
# run_iptables -t filter -X
I can now run xen_nat_enable and it leaves my existing filter
rules in place. The existing filter rules are extremely
permissive.
> > 2) Hmmm -- this does not work. Any quick guess what to try fixing?
>
> > $ xenctl domain list
> > id: 0 (Domain-0)
> > processor: 0
> > has cpu: true
> > state: 0 active
> > mcu advance: 10
> > total pages: 192000
> > id: 2 (XenoLinux)
> > processor: 0
> > has cpu: false
> > state: 1 stopped
> > mcu advance: 10
> > total pages: 24576
>
> Did you start a domain 1 that then exited?
Yes, I had domain 1 that I stopped then killed.
After starting domain 2, I still can't connect. Details below.
> The IP address of you're currently running domain (id: 2) should
> be 169.254.1.2
>
> "state: 1 stopped" doesn't look good, though. Have you actually
> "xenctl domain start"'ed the domain?
$ xenctl script -f/etc/xen-mydom (the default script)
$ xenctl domain start -n2
$ xenctl domain list
id: 0 (Domain-0)
processor: 0
has cpu: true
state: 0 active
mcu advance: 10
total pages: 192000
id: 2 (XenoLinux)
processor: 0
has cpu: false
state: 0 active
mcu advance: 10
total pages: 24576
$ ifconfig eth0:0
eth0:0 Link encap:Ethernet HWaddr 00:B0:D0:DF:FA:ED
inet addr:169.254.1.0 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
(I'll use raw telnet to better diagnose the failures):
The system I'm using is 137.229.71.6, statically assigned.
works: telnet 169.254.1.0 22
times out: telnet 169.254.1.2 22
connection refused: telnet 169.254.1.0 2202
connection refused: telnet 137.229.71.6 2202
It looks to me like either the built-in firewall is blocking incoming
access at 169.254.1.2 (the virtual domain), or the virtual domain is
simply unable to access the network connection.
As I mentioned in my other message, it would be great to be able to
see console messages, but they are either being firewalled or
otherwise redirected.
-- Greg
-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
|
Home