WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] IPtables configuration problem

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] IPtables configuration problem
From: "Ivan Lisenkov" <ivan@xxxxxxxxx>
Date: Fri, 31 Oct 2008 15:49:40 +0300
Delivery-date: Fri, 31 Oct 2008 05:50:23 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hello all!

I am trying to configure iptables to count traffic of my DomUs and to block traffic if DomU uses incorrect IP address.

The problem is, it seems, that iptables does not see the traffic routed throw a bridge.

My configuration is:

Dom0 ip, let it be: 10.0.0.1

domUs subnet: 10.0.1.8/27

on dom0 dummy0 interface with ip 10.0.1.8 is up and it is connected to virtual interfaces via xenbr1:

[root@xen scripts]# /usr/sbin/brctl show
bridge name     bridge id               STP enabled     interfaces
virbr0          8000.000000000000       yes
xenbr0          8000.feffffffffff       no              peth0
                                                        vif0.0
xenbr1          8000.6ef521bb1b21       no              vif2.0
                                                        tap2
                                                        vif1.0
                                                        vif1.1
                                                        tap1
                                                        tap0
                                                        pdummy0
                                                        vif0.1

The network works fine, but iptables does not count any packets from/to domUs:

Chain FORWARD (policy ACCEPT 21318 packets, 4877K bytes)
 pkts bytes target     prot opt in     out     source               destination
11326 1715K LOG        all  --  any    any     anywhere             anywhere            LOG level debug
    0     0 ACCEPT     all  --  any    any     10.0.1.12         anywhere            PHYSDEV match --physdev-in vif2.0
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            PHYSDEV match --physdev-in vif2.0 udp spt:bootpc dpt:bootps

Whats going wrong?

My system is CentOS 5.2, xen version 3.0.3

Thank you in advance for any help!!!

Best Regards,


Ivan
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] IPtables configuration problem, Ivan Lisenkov <=