WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Problem start iptables - udp broken

To: "Torsten Lehmann" <tlehmann@xxxxxxxxxxxxx>
Subject: Re: [Xen-users] Problem start iptables - udp broken
From: "Abel Martín" <abel.martin.ruiz@xxxxxxxxx>
Date: Wed, 29 Nov 2006 12:57:46 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 29 Nov 2006 03:57:59 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SxVOr7BiSQs6WLot2E3tfU9R2qQEC+wFloDUxcKV0In8+gyhYxB+8QyMb0HKCEuCEMgep7/gpxzRQ6LprGCDeGv8XKi5tDFp/eys3PbtMVEmneGF0E6+ZA8jNu8LeTYVP3H+1OXrHPjDA7TmgPO7T/DIUnkmUjC0ANRaj/VEIEs=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.53.0611291040480.13401@xxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <E4D4F968E9F97F45B21B72BDCAD8E1B803C126F4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <915136920611280122l588565b2u5845651f0fac3a5e@xxxxxxxxxxxxxx> <20061128110524.M2929@xxxxxxxxxxx> <915136920611280351l5601d05fk72d76eba563ac1db@xxxxxxxxxxxxxx> <Pine.LNX.4.53.0611291040480.13401@xxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On 11/29/06, Torsten Lehmann <tlehmann@xxxxxxxxxxxxx> wrote:
did I understand it correctly?
I can on Dom0 filter packets to Dom1, when iptables bind to Dom0:peth0
or Dom0:vif1.0 .



           Dom0  Dom1
           ----  ----

                  eth0
                   |
           eth0  vif1.0
             |     |
           -------------... Bridge
           |
         peth0
           |


if iptables run without "-i dev", default will bind to eth0.
It sees no packets from peth0 to Dom1:eth0.

If you want to filter traffic for domU in dom0 I would do something
similar to what is recommended on Xen Networking wiki with a slight
difference.

# create a chain for rules for your domU
iptables -N domU

# process domU rules if traffic enters/leaves physical net device eth0
but doesn't leaves/enters it
iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j domU
iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0  -j domU

# create specific rules for your domU
iptables -A domU -m udp -p udp --sport 1024:65535 --dport 2049
--source $trusted_IPs --destination $NFS_IP -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A domU -m udp -p udp --destination $trusted_IPs --source
$NFS_IP --sport 2049 --dport 1024:65535 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A domU -j DROP

I've tested this rules with netcat and it works on my machine,
although they don't prevent accessing any service in domU from dom0.
Don't know if your problem has to do with ip_conntrack or NFS itself.
I'm using Xen 2.6.18 in a Debian Sid box.

A curious thing that I found is that running tcpdump in dom0's bridge
or eth0 only show incoming packets, as you mentioned before.
Surprisingly the same applies to vif1.0. The traffic flows in both
directions, though. Maybe a libpcap or tcpdump problem? So tcpdump
might not be the right tool to analyze this problem.

Watch out if you have rules in PREROUTING, FORWARD and POSTROUTING
chains, as stated in:
http://wiki.xensource.com/xenwiki/XenNetworking#head-602e26cd4a03b992f3938fe1bea03fa0fea0ed8b
The script you're executing might not suit your needs.




On xenwiki/XenNetworking i found docu to configuration "bridging" and
"routing".
Where find I information too Pro and Contra?  (bridging vs. routing)

Bridging is the default networking setup for Xen. I've never worked
with routed networking in Xen, so I can't give you any useful opinion.

Regards.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users