WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] iptables in dom0 with bridge: no more outbound connectio

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] iptables in dom0 with bridge: no more outbound connections
From: Peter Fokkinga <peter@xxxxxxxxxxx>
Date: Thu, 04 Jan 2007 20:31:09 +0100
Delivery-date: Thu, 04 Jan 2007 11:31:12 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <20061229162546.1r02ekiiowoos8c8@xxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20061229162546.1r02ekiiowoos8c8@xxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Internet Messaging Program (IMP) H3 (4.1.3)
Quoting Peter Fokkinga <peter@xxxxxxxxxxx>:
When I boot into dom0 (Xen 3.0.4 patched to kernel 2.6.16.36), but
without starting xend, things are fine (iptable rules are active
at this point). Yet, after I have started xend (and xenbr0 appears
in my ifconfig output) I am unable to make connections to remote
hosts (dns lookups fail, ping to ip addresses fail, etc). Strange!

Turned out to be an iptables configuration issue.

This is the minimal firewall that _doesn't_ work in dom0:
iptables -F
iptables -A INPUT -p tcp --dport ssh   -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

The same, but _working_ when the xenbr0 bridge is active:
iptables -F
iptables -A FORWARD -m physdev --physdev-out vif+ -p tcp --dport ssh -j ACCEPT iptables -A FORWARD -m physdev --physdev-out vif+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out vif+ -j DROP

A small issue arose at activating the firewall at boot, the firewall
script would fail when started right after starting xend. Adding
"ifdown eth0 ; ifup eth0" to the start of the firewall script solved
this. This may be specific to the hardware though (infamous Broadcom
NetXtreme II BCM5708 NIC).

Cheers, Peter

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Xen-users] iptables in dom0 with bridge: no more outbound connections, Peter Fokkinga <=