WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] so close! just an iptables rule away.....?

from [Rob Dyke] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] so close! just an iptables rule away.....?
From: Rob Dyke <robdyke@xxxxxxxxx>
Date: Thu, 24 Nov 2005 10:25:29 +0000
Delivery-date: Thu, 24 Nov 2005 10:25:35 +0000
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=MfUZa5qXn4JfF4asAeDlDqbMgdmaZI1b0wHLv1rIYmXWC94m6uao6VMFPX1AZ8ua6vHjTd343oANJUcaJH4zSqoxz3uVDiT7ME2Q6Fo8ZeF7qYJS7+xCfW4UzY1pwIVIlCg2m5YxW7pEvYiaCAI78TRoSF+pxnk518UnuiGtWCc=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Reply-to: emailme@xxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi,

I've been making leaps and strides with Xen on FC4. It has been easy to get installed and to start our first virtual host.
I've got one outstanding issue with iptables that is preventing me progressing further.

This is a colo'd server. It has s single NIC with public IPs.
The bridge is set to come up binding vif* <> xen-br0 <> eth1.
I can start a virtual host and I am able to ping & SSH to the virtual host.

I am not able to resolve DNS query from my virtual host though - tcpdump shows Admin Prohibited
e.g.: 14:45:01.527142 IP dellserver.comwifinet.lan > vm-colo1.comwifinet.lan: icmp 80: host 217.160.133.239 unreachable - admin prohibited

If I drop IP tables then all name resolution works from the virtual machines.

I have not had any success with adding the iptables rules as shown in the wiki

# iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
8216  809K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in eth1 ! --physdev-out eth1
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match ! --physdev-in eth1 --physdev-out eth1

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
1844  216K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1256 packets, 373K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target     prot opt in     out     source               destination
   42  3108 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   19  1540 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631
3296  287K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    2   116 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
    9   740 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    7   336 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    4   228 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
6681  732K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Running 2.6.12-1.1398_FC4xen0
I have read https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161792 - is this the cause of my problems? do I need to run a newer kernel to resolve this issue?

Thanks for any advice - please prompt me to supply further info (e.g. credit card number, inside leg measurement, etc......)

/rob

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  AW: [Xen-users] Migration and relocation parameters, DIEDERIT
Next by Date:  [Xen-users] xen networking on Debian with 2 nics, Ian fraser
Previous by Thread:  AW: [Xen-users] Migration and relocation parameters, DIEDERIT
Next by Thread:  Re: [Xen-users] so close! just an iptables rule away.....?, Michael Best
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy