WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] so close! just an iptables rule away.....?

from [Michael Best] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] so close! just an iptables rule away.....?
From: Michael Best <mbest@xxxxxxxxxxxxx>
Date: Tue, 29 Nov 2005 21:38:27 -0700
Delivery-date: Wed, 30 Nov 2005 04:38:37 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.7.12-1.3.1 
Hi,
# iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
8216  809K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match --physdev-in eth1 ! --physdev-out eth1
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match ! --physdev-in eth1 --physdev-out eth1
The big problem is in the FORWARD chain, the first rule in this chain says jump to the chain RH-Firewall-1-INPUT and then the subsequent rules are ignored.
So for instance in my example system my domU is on bridged interface vif3.0 in order add the ACCEPT iptables line *before* the jump to RH-Firewall I had to drop that rule and then insert it back in. 

iptables -D FORWARD -j RH-Firewall-1-INPUT
iptables -A FORWARD -m physdev --physdev-in vif3.0 -j ACCEPT
iptables -A FORWARD -j RH-Firewall-1-INPUT
Same basic approach for you, just make sure your rules come before the jump or drop that rule and then add it back in after the rule changes are done.
I modified my /etc/xen/scripts/vif-common.sh to do this for me. The patch appeared in my last post. 

-Mike

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] Centos/RHEL/Fedora IPTables Firewalling in dom0/domU + dhclient, Michael Best
Next by Date:  [Xen-users] xen 3.0 Error: Device 2049 (vbd) could not be connected. Backend device not found., louie
Previous by Thread:  [Xen-users] so close! just an iptables rule away.....?, Rob Dyke
Next by Thread:  [Xen-users] xen networking on Debian with 2 nics, Ian fraser
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy