| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] Has anyone successfully set up a dhcp/iptables firewall
Hi,
For what it's worth I've come to the conclusion that the best policy is to run
*nothing* in the Dom0 above and beyond what you absolutely need. In my case, no
iptables whatsoever and nothing listening on a public interface save ssh which
is protected by hosts allow.
(then run everything else on a second/private eth)
There appears to be a rather nasty bug somewhere in the IP stack, I'm thinking
it's in conntrak with regards to bridging with Xen in Dom0's, which ultimately
causes lots of problems including machine lockouts.
Since scrapping iptables I've not had a single lockup. (across 6 machines and
18 DomU's)
[I'm working with kernels 2.6.2x]
hth
Gareth.
----- Original Message -----
step 3.: "Juergen Schinker" <ba1020@xxxxxxxxxxxxxxxxxxx>
To: xen-users@xxxxxxxxxxxxxxxxxxx
Sent: 12 February 2008 11:47:20 o'clock (GMT) Europe/London
Subject: Re: [Xen-users] Has anyone successfully set up a dhcp/iptables
firewall in dom0 NATing traffic from domU?
> I've been struggling with this problem for a few days now perhaps
someone here has had experience with this problem already. I am trying
to set up a rack server lke this:
>
> dom0: iptables/dhcp
> dom1: LAMP server
> dom2: MAIL server
> dom3: VNC vm for graphical admin and web tools
>
> Dom0 has one physical interface eth0 which receives a static ip, i have
also set up a bridge called br0 that i have bound dnsmasq to in order to
dole out ips to the domU's. The domU's are assigned a mac address and
once they boot dhclient requests an ip over 192.168.0.1 which works
well. Once the domU has booted I can ping the other domU's by ip and
the br0 itself at 192.168.0.1 as well as accessing all the servers in
the domUs in my internal network. I.e. I can hit the webserver in dom1
from dom3. I can also ping external sites by domain name like
google.com. Unfortunately that is about all I can do. I cannot access
any other form of net traffic from inside the domU, i.e I cannot access
the web or rsync. My question is basically, is this a problem with Xen
networking or is it a problem with
> iptables? Both?
>
> - Rich
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>
>
Yes here http://homie.homelinux.net/wordpress/?p=11
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home