WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Has anyone successfully set up a dhcp/iptables fire

from [Juergen Schinker] [Permanent Link][Original]
To: "Gareth Bult" <gareth@xxxxxxxxxxxxx>
Subject: Re: [Xen-users] Has anyone successfully set up a dhcp/iptables firewall in dom0 NATing traffic from domU?
From: "Juergen Schinker" <ba1020@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 12 Feb 2008 12:42:55 -0000 (UTC)
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 12 Feb 2008 04:43:48 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
Importance: Normal
In-reply-to: <8334751.16881202818881037.JavaMail.root@zimbra>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <8334751.16881202818881037.JavaMail.root@zimbra>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: SquirrelMail/1.4.10a 
> Hi,
>
> For what it's worth I've come to the conclusion that the best policy is to
> run *nothing* in the Dom0 above and beyond what you absolutely need. In my
> case, no iptables whatsoever and nothing listening on a public interface
> save ssh which is protected by hosts allow.
> (then run everything else on a second/private eth)
>
maybe but most people use a host with iptables and migrating all services
to DomU is hard so easiest way seams to me to solve the bug and not get
all users to do an workaroaund

i never had an lockout...kernel 2.6.20-xen-r6 Xen3.1 bridging mode


> There appears to be a rather nasty bug somewhere in the IP stack, I'm
> thinking it's in conntrak with regards to bridging with Xen in Dom0's,
> which ultimately causes lots of problems including machine lockouts.
>
> Since scrapping iptables I've not had a single lockup. (across 6 machines
> and 18 DomU's)
> [I'm working with kernels 2.6.2x]
>
> hth
> Gareth.
>
>
> ----- Original Message -----
> step 3.: "Juergen Schinker" <ba1020@xxxxxxxxxxxxxxxxxxx>
> To: xen-users@xxxxxxxxxxxxxxxxxxx
> Sent: 12 February 2008 11:47:20 o'clock (GMT) Europe/London
> Subject: Re: [Xen-users] Has anyone successfully set up a dhcp/iptables
>   firewall in dom0 NATing traffic from domU?
>
>> I've been struggling with this problem for a few days now perhaps
> someone here has had experience with this problem already.  I am trying
> to set up a rack server lke this:
>>
>> dom0: iptables/dhcp
>> dom1: LAMP server
>> dom2: MAIL server
>> dom3: VNC vm for graphical admin and web tools
>>
>> Dom0 has one physical interface eth0 which receives a static ip, i have
> also set up a bridge called br0 that i have bound dnsmasq to in order to
> dole out ips to the domU's.  The domU's are assigned a mac address and
> once they boot dhclient requests an ip over 192.168.0.1 which works
> well.  Once the domU has booted I can ping the other domU's by ip and
> the br0 itself at 192.168.0.1 as well as accessing all the servers in
> the domUs in my internal network.  I.e. I can hit the webserver in dom1
> from dom3.  I can also ping external sites by domain name like
> google.com.  Unfortunately that is about all I can do.  I cannot access
> any other form of net traffic from inside the domU, i.e I cannot access
> the web or rsync.  My question is basically, is this a problem with Xen
> networking or is it a problem with
>> iptables?  Both?
>>
>>  - Rich
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@xxxxxxxxxxxxxxxxxxx
>> http://lists.xensource.com/xen-users
>>
>>
> Yes here http://homie.homelinux.net/wordpress/?p=11
>
>
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>
>



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Emulating Multiple NIC cards on Guests, Viswanath T K
Next by Date:  Re: [Xen-users] san fibrechannel device in HVM domU, Gerhard Possler
Previous by Thread:  Re: [Xen-users] Has anyone successfully set up a dhcp/iptables firewall in dom0 NATing traffic from domU?, Gareth Bult
Next by Thread:  [Xen-users] [Q]Are Intel's ICH9 chipsets supported by xen-3.2?, pradeep singh rautela
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy