 Home |
Products |
Support |
Community |
News |
xen-users
Re: [Xen-users] ssh issues on DomU
| To: | xen-users@xxxxxxxxxxxxxxxxxxx |
|---|---|
| Subject: | Re: [Xen-users] ssh issues on DomU |
| From: | Heiko Wundram <modelnine@xxxxxxxxxxxxx> |
| Date: | Fri, 01 Apr 2011 15:47:32 +0200 |
| Delivery-date: | Fri, 01 Apr 2011 06:48:31 -0700 |
| Dkim-signature: | v=1; a=rsa-sha256; c=simple/simple; d=modelnine.org; s=modelnine1012; t=1301665659; bh=0idsmdKAcw4Joz4Jvzg20o0zYLChzGipi9gkLNBn8E8=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=mqjrLw9FsSDSAyz/hYeZbzEthkDySNEedltm1veHg4Vy5Nyln1R/Lyb0/YXwikWle aSn3WuueaOsXS/M6B9uB7WU+uU9dOzjfGiS4SgyGs1Qqnec1+X6zlPSwTx+Rw0ctKT sejbYkiQP1nnlKylxagAqiIA8c2gZoTPeP3b0biU= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxxx |
| In-reply-to: | <4D95D5F9.5040208@xxxxxxxxxxxxxxxxxxxxx> |
| List-help: | <mailto:xen-users-request@lists.xensource.com?subject=help> |
| List-id: | Xen user discussion <xen-users.lists.xensource.com> |
| List-post: | <mailto:xen-users@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe> |
| References: | <4D94006E.6050508@xxxxxxxxxxxxxxxxxxxxx> <20110331072304.GA6125@xxxxxxxx> <4D945E71.7070709@xxxxxxxxxxxxxxxxxxxxx> <20110331112458.GB6125@xxxxxxxx> <4D946F95.8010907@xxxxxxxxxxxxxxxxxxxxx> <p0624080dc9ba263d117b@xxxxxxxxxxxxxxxxxxxxxx> <4D95D5F9.5040208@xxxxxxxxxxxxxxxxxxxxx> |
| Sender: | xen-users-bounces@xxxxxxxxxxxxxxxxxxx |
| User-agent: | Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 |
Am 01.04.2011 15:41, schrieb Andrew McGlashan: > Hi, > > Simon Hobson wrote: >> Andrew McGlashan wrote: >> >>> I only see output when I ssh from Dom0 -- nothing when trying from >>> putty client. >> >> Do you have any firewall in place that might be dropping connections ? > > No, the closest thing would be the standard iptables rules on Dom0 ... > but it looks "okay" to me. It isn't. > Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.1 > ACCEPT all -- anywhere anywhere PHYSDEV > match --physdev-in vif3.1 > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.0 > ACCEPT all -- anywhere anywhere PHYSDEV > match --physdev-in vif3.0 > ACCEPT all -- anywhere anywhere PHYSDEV > match --physdev-in peth1 These rules basically say that any traffic coming in from anywhgere (the outside) and being directed towards your DomU is only valid if it is part of an existing connection (see the state RELATED,ESTABLISHED on the physdev-out matches, which are driven by the stateful xtables match of the Dom0 kernel), whereas the DomU is allowed to do any traffic (see the physdev-in match). The Dom0 is allowed to do traffic to all DomUs, because the packets the Dom0 generates go through INPUT and OUTPUT, but not through FORWARD. You might want to check the iptables generation on your Dom0. -- --- Heiko. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [Xen-users] ssh issues on DomU, Andrew McGlashan |
|---|---|
| Next by Date: | Re: [Xen-users] Debian dom0 Centos domU network xenbr0 and VNC problems, Hans Vos |
| Previous by Thread: | Re: [Xen-users] ssh issues on DomU, Andrew McGlashan |
| Next by Thread: | Re: [Xen-users] ssh issues on DomU, Andrew McGlashan |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
