WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] iptables in dom0 with bridge: no more outbound connectio

To: Peter Fokkinga <peter@xxxxxxxxxxx>
Subject: Re: [Xen-users] iptables in dom0 with bridge: no more outbound connections
From: Nico Kadel-Garcia <nkadel@xxxxxxxxx>
Date: Fri, 29 Dec 2006 16:40:21 +0000
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 29 Dec 2006 08:40:14 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=GfSr21D87rT9q99ygy/VBABlQukIbrvwcumZzxGE2zE+6hxnhINJUQmEJ1JHFkCkhwsY072MCMx4pHcR1qk5m65Xh7lAyTqPYmUyCCUlEqZKg7k2i+U5KZXcWm3VKWdLiQrRTBsdzx15zOLS5wHH7OPszh8630LZybyzuKRnn/A=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20061229162546.1r02ekiiowoos8c8@xxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20061229162546.1r02ekiiowoos8c8@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)
Peter Fokkinga wrote:
After successfully consolidating my servers at home with Xen I
wanted to do the same at work. Unfortunately, I ran into a
networking anomaly that baffles my mind...

What I'm looking for is a real simple setup: a dom0 and 4 domU's
that are all directly accessible; in other words, no NAT required,
each dom has a "real" (public) ip address in our 129.125. range
(that's University of Groningen, the Netherlands in case you're
wondering).

Even though I have no need for iptables to do NAT, I _do_ want
to protect each dom, including dom0, with its own firewall. And
here the problems start.

When I boot into dom0 (Xen 3.0.4 patched to kernel 2.6.16.36), but
without starting xend, things are fine (iptable rules are active
at this point). Yet, after I have started xend (and xenbr0 appears
in my ifconfig output) I am unable to make connections to remote
hosts (dns lookups fail, ping to ip addresses fail, etc). Strange!

Now for the real spooky part:
  1. I booted into dom0 (no xend)
  2. executed `telnet 129.125.14.12 daytime`, it works
  3. started xend
  4. executed `telnet 129.125.14.12 daytime`, it still works (surprise!)
  5. executed `telnet 129.125.14.13 daytime`, it does not work
DNS cache, I think.

Wierd, so I rebooted the machine and tried again except for step 2
and the result was the same. Two days later I tried another time
(again leaving out step 2) and now step 4 gives no response...

When I disable the firewall (iptables -F) everything is fine.

My minimal firewall script:
iptables -F
iptables -A INPUT -p tcp --dport ssh   -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

Another observation: with the above firewall in place I can ssh into
dom0, but it takes about 30 seconds to connect; without firewall it
is almost instantaneous.
Reverse DNS being attempted by Dom0 as part of SSHD logging, and failing. Try restarting the SSHD with the "-u0" option to turn this off.
Now I'm a programmer, not a network engineer. And I don't have a
clue how to go from here (i.o.w. I can run tcpdump, but don't know
what to look for). So suggestions are greatly appreciated!

Cheers, Peter
It's been discussed before: I haven't had a chance to pursue it, myself. Basically, after you start Xend, traffic going *out* from Dom0 goes through peth0, as near as I can tell, not eth0.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users