Hi Todd,
As I forgot some answers to your questions in my previous reply and had
no time yesterday to complete it, I do so today. Sorry for the delay.
You'll find enclosed the configuration files you requested
(xend-config.sxp, and the 2 DomUs'config files).
You'll also find a doc (txt file) which states all the networking status
with no DomU running, 1 DomU and 2 DomUs running.
Hope this helps,
NB : I made a third DomUs which is not routable when the others DomUs
are running. When I stopped the others DomUs it became routable.
It seems to me that I can only run 2 Doms together (Dom0 +1 DomUs or 2
DomUs)
Todd Deshane a écrit :
On Fri, Aug 1, 2008 at 4:32 AM, Stéphane Cesbron
<Stephane.Cesbron@xxxxxxxxx> wrote:
Hi,
I 've got a CentOS 5.2 server running xen 3.0 with 2 DomUs also running
CentOS 5.2.
All my boxes are up-to date.
I'm experiencing trouble with networking.
Dom0 can reach the outside world when no DomU are started. It can also reach
the outside world when only one DomU is running.
The troubles begin when I start the second DomU. At first, this new DomU,
called DomU2, can't get outside. (at the time Dom0 and DomU1 are still
reachable from outside).
Once I get connected to DomU2 (console mode, xm console DomU2) and try to
get outside, I'll get through after a small amout of time. Nevertheless,
this causes Dom0 to stop being reachable from the outside.
Therefore when my two DomUs are running, there are running fine and I can
reach them with SSH but Dom0 becomes unreachable. After sometimes it changes
Dom0 becomes reachable again and one of the 2 DomUs becomes unreachable from
the outside. It is completely random but there's still one of the Doms which
is unreachable. It depends on the one I'm connected to !
BUT being connected to the console on the server, I can reach each DomU
(DomU1 and DomU2) from Dom0 or reach Dom0 from each DomUs (DomU1 and DomU2)
I help myself with some tutorials but can't get through my difficulties.
http://wiki.xensource.com/xenwiki/XenNetworking
http://doc.fedora-fr.org/wiki/Xen_et_le_réseau
http://www.shorewall.net/XenMyWay.html => Xen and the Art of Consolidation
Nevertheless, I can't get through my troubles.
Here's the result of the ifconfig command when everything is started : DomUs
+ Dom0
eth0 Link encap:Ethernet HWaddr 00:21:85:32:CA:8E inet
adr:172.20.25.2 Bcast:172.20.25.255 Masque:255.255.255.0
adr inet6: fe80::221:85ff:fe32:ca8e/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88446 errors:0 dropped:0 overruns:0 frame:0
TX packets:2906 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:6888620 (6.5 MiB) TX bytes:189520 (185.0 KiB)
lo Link encap:Boucle locale inet adr:127.0.0.1
Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34 errors:0 dropped:0 overruns:0 frame:0
TX packets:34 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:7010 (6.8 KiB) TX bytes:7010 (6.8 KiB)
peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF adr inet6:
fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:25871448 errors:0 dropped:0 overruns:0 frame:0
TX packets:5396663 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:31027675382 (28.8 GiB) TX bytes:434789497 (414.6 MiB)
MÃ(c)moire:de340000-de360000
vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF adr inet6:
fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:2906 errors:0 dropped:0 overruns:0 frame:0
TX packets:88446 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:189520 (185.0 KiB) TX bytes:6888620 (6.5 MiB)
vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF adr inet6:
fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:1886 errors:0 dropped:0 overruns:0 frame:0
TX packets:86964 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:32
RX bytes:127848 (124.8 KiB) TX bytes:6453003 (6.1 MiB)
vif2.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF adr inet6:
fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:5389130 errors:0 dropped:0 overruns:0 frame:0
TX packets:10150353 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:32
RX bytes:358810111 (342.1 MiB) TX bytes:15229333872 (14.1 GiB)
virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet
adr:192.168.122.1 Bcast:192.168.122.255 Masque:255.255.255.0
adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:0 (0.0 b) TX bytes:8758 (8.5 KiB)
xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF UP BROADCAST
RUNNING NOARP MTU:1500 Metric:1
RX packets:84790 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:4982000 (4.7 MiB) TX bytes:0 (0.0 b)
I can't understand why the MAC addresses of peth0 is different from the one
of eth0. vibr0 seems to be useless. These should be the same, shouldn't they
?
peth0's MAC address and xenbr0's MAC address are the same which seems
logical to me. Am I wrong ?
Can anyone help ?
Any suggestions will be greatly appreciated.
What is the output of:
brctl show
ip route list
with 0, 1 and 2 domUs running?
The networking parts of xend-config.sxp and the vif lines in your
domUs might be useful.
Cheers.
Todd
Kind regards,
--
Stéphane Cesbron
Responsable Régional Informatique,
INSERM ADR Grand-Ouest,
BRETAGNE, PAYS DE LA LOIRE et CENTRE
63, quai Magellan
3ème étage - Hall B
B.P. 32116
44021 Nantes cedex 1
Email : stephane.cesbron@xxxxxxxxx
Tél : 02.40.20.92.28
Portable : 06.78.68.76.39
-----------------------------------------------------------------
Ce message et toutes les pieces jointes sont etablis a l'intention exclusive
de ses destinataires et peuvent etre confidentiels ou proteges. L'internet
ne permettant pas d'assurer l'integrite de ce message, l'INSERM decline
toute responsabilite au titre de ce message, dans l'hypothese ou il aurait
ete modifie. Toute utilisation de ce message non conforme a sa destination,
toute diffusion ou toute publication, totale ou partielle, est interdite,
sauf autorisation expresse. Si vous recevez ce message par erreur, merci de
le detruire et d'en avertir immediatement l'expediteur. Merci.
The information transmitted is intended exclusively for the person or entity
to which it is addressed and may contain confidential and/or privileged
material. Any disclosure, copying, distribution or other action based upon
the information by persons or entities other than the intended recipient is
prohibited. If you receive this information in error, please contact the
sender and delete the material from any and all computers.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
--
Stéphane Cesbron
Responsable Régional Informatique,
INSERM ADR Grand-Ouest,
BRETAGNE, PAYS DE LA LOIRE et CENTRE
63, quai Magellan
3ème étage - Hall B
B.P. 32116
44021 Nantes cedex 1
Email : stephane.cesbron@xxxxxxxxx
Tél : 02.40.20.92.28
Portable : 06.78.68.76.39
-----------------------------------------------------------------
Ce message et toutes les pieces jointes sont etablis a l'intention exclusive de
ses destinataires et peuvent etre confidentiels ou proteges. L'internet ne
permettant pas d'assurer l'integrite de ce message, l'INSERM decline toute
responsabilite au titre de ce message, dans l'hypothese ou il aurait ete
modifie. Toute utilisation de ce message non conforme a sa destination, toute
diffusion ou toute publication, totale ou partielle, est interdite, sauf
autorisation expresse. Si vous recevez ce message par erreur, merci de le
detruire et d'en avertir immediatement l'expediteur. Merci.
The information transmitted is intended exclusively for the person or entity to
which it is addressed and may contain confidential and/or privileged material.
Any disclosure, copying, distribution or other action based upon the
information by persons or entities other than the intended recipient is
prohibited. If you receive this information in error, please contact the sender
and delete the material from any and all computers.
# -*- sh -*-
#
# Xend configuration file.
#
# This example configuration is appropriate for an installation that
# utilizes a bridged network configuration. Access to xend via http
# is disabled.
# Commented out entries show the default for that entry, unless otherwise
# specified.
#(logfile /var/log/xen/xend.log)
#(loglevel DEBUG)
#(xend-http-server no)
(xend-unix-server yes)
#(xend-tcp-xmlrpc-server no)
#(xend-unix-xmlrpc-server yes)
#(xend-relocation-server no)
# The relocation server should be kept desactivated unless using a trusted
# network, the domain virtual memory will be exchanged in raw form without
# encryption of the communication. See also xend-relocation-hosts-allow option
(xend-unix-path /var/lib/xend/xend-socket)
# Port xend should use for the HTTP interface, if xend-http-server is set.
#(xend-port 8000)
# Port xend should use for the relocation interface, if xend-relocation-server
# is set.
#(xend-relocation-port 8002)
# Address xend should listen on for HTTP connections, if xend-http-server is
# set.
# Specifying 'localhost' prevents remote connections.
# Specifying the empty string '' (the default) allows all connections.
#(xend-address '')
#(xend-address localhost)
# Address xend should listen on for relocation-socket connections, if
# xend-relocation-server is set.
# Meaning and default as for xend-address above.
#(xend-relocation-address '')
# The hosts allowed to talk to the relocation port. If this is empty (the
# default), then all connections are allowed (assuming that the connection
# arrives on a port and interface on which we are listening; see
# xend-relocation-port and xend-relocation-address above). Otherwise, this
# should be a space-separated sequence of regular expressions. Any host with
# a fully-qualified domain name or an IP address that matches one of these
# regular expressions will be accepted.
#
# For example:
# (xend-relocation-hosts-allow '^localhost$ ^.*\.example\.org$')
#
#(xend-relocation-hosts-allow '')
(xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')
# The limit (in kilobytes) on the size of the console buffer
#(console-limit 1024)
##
# To bridge network traffic, like this:
#
# dom0: fake eth0 -> vif0.0 -+
# |
# bridge -> real eth0 -> the network
# |
# domU: fake eth0 -> vifN.0 -+
#
# use
#
# (network-script network-bridge)
#
# Your default ethernet device is used as the outgoing interface, by default.
# To use a different one (e.g. eth1) use
#
# (network-script 'network-bridge netdev=eth1')
#
# The bridge is named xenbr0, by default. To rename the bridge, use
#
# (network-script 'network-bridge bridge=<name>')
#
# It is possible to use the network-bridge script in more complicated
# scenarios, such as having two outgoing interfaces, with two bridges, and
# two fake interfaces per guest domain. To do things like this, write
# yourself a wrapper script, and call network-bridge from it, as appropriate.
#
(network-script network-bridge)
#(network-script /bin/true)
# The script used to control virtual interfaces. This can be overridden on a
# per-vif basis when creating a domain or a configuring a new vif. The
# vif-bridge script is designed for use with the network-bridge script, or
# similar configurations.
#
# If you have overridden the bridge name using
# (network-script 'network-bridge bridge=<name>') then you may wish to do the
# same here. The bridge name can also be set when creating a domain or
# configuring a new vif, but a value specified here would act as a default.
#
# If you are using only one bridge, the vif-bridge script will discover that,
# so there is no need to specify it explicitly.
#
(vif-script vif-bridge)
## Use the following if network traffic is routed, as an alternative to the
# settings for bridged networking given above.
#(network-script network-route)
#(vif-script vif-route)
## Use the following if network traffic is routed with NAT, as an alternative
# to the settings for bridged networking given above.
#(network-script network-nat)
#(vif-script vif-nat)
# Dom0 will balloon out when needed to free memory for domU.
# dom0-min-mem is the lowest memory level (in MB) dom0 will get down to.
# If dom0-min-mem=0, dom0 will never balloon out.
(dom0-min-mem 256)
# In SMP system, dom0 will use dom0-cpus # of CPUS
# If dom0-cpus = 0, dom0 will take all cpus available
(dom0-cpus 0)
# Whether to enable core-dumps when domains crash.
#(enable-dump no)
# The tool used for initiating virtual TPM migration
#(external-migration-tool '')
# The interface for VNC servers to listen on. Defaults
# to 127.0.0.1 To restore old 'listen everywhere' behaviour
# set this to 0.0.0.0
#(vnc-listen '127.0.0.1')
# The default password for VNC console on HVM domain.
# Empty string is no authentication.
(vncpasswd '')
# The VNC server can be told to negotiate a TLS session
# to encryption all traffic, and provide x509 cert to
# clients enalbing them to verify server identity. The
# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
# all support the VNC extension for TLS used in QEMU. The
# TightVNC/RealVNC/UltraVNC clients do not.
#
# To enable this create x509 certificates / keys in the
# directory /etc/xen/vnc
#
# ca-cert.pem - The CA certificate
# server-cert.pem - The Server certificate signed by the CA
# server-key.pem - The server private key
#
# and then uncomment this next line
# (vnc-tls 1)
#
# The certificate dir can be pointed elsewhere..
#
# (vnc-x509-cert-dir /etc/xen/vnc)
#
# The server can be told to request & validate an x509
# certificate from the client. Only clients with a cert
# signed by the trusted CA will be able to connect. This
# is more secure the password auth alone. Passwd auth can
# used at the same time if desired. To enable client cert
# checking uncomment this:
#
# (vnc-x509-verify 1)
# Allow probing of disk image file format. This is insecure! It lets
# a malicious domU read any file in dom0. Applies only to fully
# virtual domUs. Required for using formats other than raw.
#(enable-image-format-probing no)
name = "fwb"
uuid = "f990d210-2a76-6fa9-5130-b80a207baa89"
maxmem = 1024
memory = 1024
vcpus = 1
bootloader = "/usr/bin/pygrub"
on_poweroff = "destroy"
on_reboot = "restart"
on_crash = "restart"
vfb = [ ]
disk = [ "tap:aio:/var/lib/xen/images/fwb.img,xvda,w" ]
vif = [ "mac=00:16:3e:1c:0f:0b,bridge=xenbr0" ]
name = "virt-geko"
uuid = "bd4497d9-6613-f595-fae1-4bf8bc4aea33"
maxmem = 1024
memory = 1024
vcpus = 1
bootloader = "/usr/bin/pygrub"
on_poweroff = "destroy"
on_reboot = "restart"
on_crash = "restart"
vfb = [ ]
disk = [ "tap:aio:/var/lib/xen/images/virt-geko.img,xvda,w" ]
vif = [ "mac=00:16:3e:16:ee:d4,bridge=xenbr0" ]
***************************************************************************************************************************************************
WITHOUT ANY DOMUS, ONLY DOMO (XEND OFF + LIBVIRTD OFF)
***************************************************************************************************************************************************
[scesbron@virts ~]$ ip route list
172.20.25.0/24 dev eth0 proto kernel scope link src 172.20.25.2
169.254.0.0/16 dev eth0 scope link
default via 172.20.25.1 dev eth0
[scesbron@virts ~]$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:21:85:32:CA:8E
inet adr:172.20.25.2 Bcast:172.20.25.255 Masque:255.255.255.0
adr inet6: fe80::221:85ff:fe32:ca8e/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:358 errors:0 dropped:0 overruns:0 frame:0
TX packets:116 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:34055 (33.2 KiB) TX bytes:17535 (17.1 KiB)
Mémoire:de340000-de360000
lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
[root@virts ~]# /root/verif_iptables.sh
Table filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 1 40 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 192 packets, 22587 bytes)
num pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
3 0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
4 0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
5 0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.251 udp dpt:5353
6 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:631
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:631
8 1 40 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
10 0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
[root@virts ~]# cat /root/verif_iptables.sh
#!/bin/bash
for TABLE in `cat /proc/net/ip_tables_names |sort`; do iptables -Z -t $TABLE;
echo Table $TABLE; iptables -v -n --line-number -t $TABLE -L;done
[root@virts ~]# brctl show
bridge name bridge id STP enabled interfaces
[root@virts ~]#
***************************************************************************************************************************************************
***************************************************************************************************************************************************
***************************************************************************************************************************************************
WITHOUT ANY DOMUS, ONLY DOM0 BUT WITH LIBVIRTD ON AND XEND ON
***************************************************************************************************************************************************
[root@virts ~]# xm list
Name ID Mem(MiB) VCPUs State Time(s)
Domain-0 0 2990 4 r----- 22.1
[scesbron@virts ~]$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:21:85:32:CA:8E
inet adr:172.20.25.2 Bcast:172.20.25.255 Masque:255.255.255.0
adr inet6: fe80::221:85ff:fe32:ca8e/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:397 errors:0 dropped:0 overruns:0 frame:0
TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:41429 (40.4 KiB) TX bytes:15385 (15.0 KiB)
lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:729 errors:0 dropped:0 overruns:0 frame:0
TX packets:111 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:76597 (74.8 KiB) TX bytes:24339 (23.7 KiB)
Mémoire:de340000-de360000
vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:71 errors:0 dropped:0 overruns:0 frame:0
TX packets:400 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:17737 (17.3 KiB) TX bytes:41609 (40.6 KiB)
virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet adr:192.168.122.1 Bcast:192.168.122.255 Masque:255.255.255.0
adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:0 (0.0 b) TX bytes:8216 (8.0 KiB)
xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:302 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:30809 (30.0 KiB) TX bytes:0 (0.0 b)
[scesbron@virts ~]$ ip route list
172.20.25.0/24 dev eth0 proto kernel scope link src 172.20.25.2
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link
default via 172.20.25.1 dev eth0
[scesbron@virts ~]$
[root@virts ~]# /root/verif_iptables.sh
Table filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
5 1 40 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 167 packets, 27600 bytes)
num pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
3 0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
4 0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
5 0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.251 udp dpt:5353
6 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:631
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:631
8 1 40 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
10 0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Table nat
Chain PREROUTING (policy ACCEPT 242 packets, 32140 bytes)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 2 packets, 215 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 MASQUERADE all -- * * 192.168.122.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2 packets, 215 bytes)
num pkts bytes target prot opt in out source
destination
[root@virts ~]#
[root@virts ~]# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.000000000000 yes
xenbr0 8000.feffffffffff no peth0
vif0.0
[root@virts ~]# brctl showmacs virbr0
port no mac addr is local? ageing timer
[root@virts ~]# brctl showmacs xenbr0
port no mac addr is local? ageing timer
2 00:00:85:83:0d:1f no 33.69
2 00:14:38:dd:b6:6c no 93.79
2 00:14:38:df:a9:25 no 93.79
2 00:14:5e:88:3a:ac no 150.64
2 00:15:17:11:d0:60 no 43.46
2 00:15:17:12:11:24 no 12.46
2 00:18:8b:08:62:44 no 44.20
2 00:18:8b:08:80:9c no 112.25
2 00:18:8b:08:84:4f no 200.36
2 00:18:8b:08:85:3b no 4.46
2 00:18:8b:08:85:7b no 75.43
2 00:18:8b:08:85:ae no 92.02
2 00:18:8b:08:86:27 no 2.03
2 00:18:8b:08:8c:a9 no 75.72
2 00:18:8b:08:8c:ed no 155.26
2 00:18:8b:08:8d:30 no 102.28
2 00:18:8b:25:9e:f8 no 228.27
2 00:18:8b:27:b3:9a no 152.29
2 00:18:8b:27:d5:38 no 109.42
2 00:18:8b:27:e4:1d no 43.45
2 00:18:fe:9e:0a:6c no 153.91
2 00:19:30:6f:ca:8f no 9.22
2 00:19:b9:67:8a:8f no 0.00
2 00:1a:a0:98:01:04 no 18.77
2 00:1a:a0:ae:54:25 no 171.33
2 00:1a:e2:bc:ca:57 no 52.35
2 00:1a:e2:ca:5f:00 no 2.64
2 00:1a:e3:4d:1b:0a no 0.08
2 00:1a:e3:4d:1b:43 no 165.93
2 00:1b:2a:20:44:4c no 3.65
2 00:1b:2a:20:b1:a2 no 186.50
2 00:1b:2a:89:97:a4 no 197.38
2 00:1b:2a:89:ab:d0 no 73.64
2 00:1b:53:39:b3:00 no 27.97
2 00:1c:ee:04:ef:4c no 70.74
1 00:21:85:32:ca:8e no 0.00
2 08:00:1f:82:7d:a3 no 93.79
1 fe:ff:ff:ff:ff:ff yes 0.00
[root@virts ~]#
***************************************************************************************************************************************************
***************************************************************************************************************************************************
***************************************************************************************************************************************************
DOMO STARTED + 1 DOMU (FWB)
***************************************************************************************************************************************************
[root@virts ~]# cat /etc/xen/fwb
name = "fwb"
uuid = "f990d210-2a76-6fa9-5130-b80a207baa89"
maxmem = 1024
memory = 1024
vcpus = 1
bootloader = "/usr/bin/pygrub"
on_poweroff = "destroy"
on_reboot = "restart"
on_crash = "restart"
vfb = [ ]
disk = [ "tap:aio:/var/lib/xen/images/fwb.img,xvda,w" ]
vif = [ "mac=00:16:3e:1c:0f:0b,bridge=xenbr0" ]
[root@virts ~]#
[root@virts ~]# xm create fwb
Using config file "/etc/xen/fwb".
Started domain fwb
[root@virts ~]# xm list
Name ID Mem(MiB) VCPUs State Time(s)
Domain-0 0 2990 4 r----- 24.8
fwb 3 1023 1 -b---- 11.4
[root@virts ~]#
[root@virts ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:21:85:32:CA:8E
inet adr:172.20.25.2 Bcast:172.20.25.255 Masque:255.255.255.0
adr inet6: fe80::221:85ff:fe32:ca8e/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2107 errors:0 dropped:0 overruns:0 frame:0
TX packets:413 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:217391 (212.2 KiB) TX bytes:62505 (61.0 KiB)
lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:2887 errors:0 dropped:0 overruns:0 frame:0
TX packets:715 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:299761 (292.7 KiB) TX bytes:109546 (106.9 KiB)
Mémoire:de340000-de360000
vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:419 errors:0 dropped:0 overruns:0 frame:0
TX packets:2110 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:64889 (63.3 KiB) TX bytes:217571 (212.4 KiB)
vif3.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:252 errors:0 dropped:0 overruns:0 frame:0
TX packets:443 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:32
RX bytes:34231 (33.4 KiB) TX bytes:51947 (50.7 KiB)
virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet adr:192.168.122.1 Bcast:192.168.122.255 Masque:255.255.255.0
adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:0 (0.0 b) TX bytes:8216 (8.0 KiB)
xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:1069 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:82597 (80.6 KiB) TX bytes:0 (0.0 b)
[root@virts ~]# ip route list
172.20.25.0/24 dev eth0 proto kernel scope link src 172.20.25.2
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link
default via 172.20.25.1 dev eth0
[root@virts ~]#
[root@virts ~]# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.000000000000 yes
xenbr0 8000.feffffffffff no vif3.0
peth0
vif0.0
[root@virts ~]# brctl showmacs virbr0
port no mac addr is local? ageing timer
[root@virts ~]# brctl showmacs xenbr0
port no mac addr is local? ageing timer
2 00:00:85:83:0d:1f no 85.63
2 00:14:38:dd:b6:6c no 205.84
2 00:14:38:df:a9:25 no 204.84
2 00:15:17:11:d0:60 no 29.54
2 00:15:17:12:11:24 no 0.50
3 00:16:3e:1c:0f:0b no 37.99
2 00:18:8b:08:62:44 no 94.35
2 00:18:8b:08:80:9c no 9.00
2 00:18:8b:08:84:4f no 75.24
2 00:18:8b:08:85:3b no 52.31
2 00:18:8b:08:85:7b no 67.42
2 00:18:8b:08:85:ae no 81.80
2 00:18:8b:08:86:27 no 25.29
2 00:18:8b:08:8c:a9 no 30.01
2 00:18:8b:08:8c:ed no 82.16
2 00:18:8b:08:8d:30 no 156.16
2 00:18:8b:25:9e:f8 no 37.21
2 00:18:8b:27:b3:9a no 100.72
2 00:18:8b:27:e4:1d no 13.92
2 00:19:30:6f:ca:8f no 30.51
2 00:19:b9:67:8a:8f no 0.00
2 00:1a:a0:98:01:04 no 66.00
2 00:1a:a0:ae:54:25 no 2.98
2 00:1a:e2:ca:5f:00 no 27.36
2 00:1a:e3:4d:1b:0a no 0.01
2 00:1a:e3:4d:1b:43 no 22.57
2 00:1b:2a:20:6b:3c no 216.88
2 00:1b:2a:20:b1:a2 no 221.87
2 00:1b:2a:20:b2:7b no 8.87
2 00:1b:2a:20:e6:c6 no 28.68
2 00:1b:53:39:b3:00 no 28.44
2 00:1c:ee:04:ef:4c no 4.10
1 00:21:85:32:ca:8e no 0.00
2 08:00:1f:82:7d:a3 no 205.84
1 fe:ff:ff:ff:ff:ff yes 0.00
[root@virts ~]# /root/verif_iptables.sh
Table filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
5 1 40 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
7 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif3.0
Chain OUTPUT (policy ACCEPT 555 packets, 76840 bytes)
num pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
3 0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
4 0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
5 0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.251 udp dpt:5353
6 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:631
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:631
8 1 40 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
10 0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Table nat
Chain PREROUTING (policy ACCEPT 408 packets, 52326 bytes)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 2 packets, 215 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 MASQUERADE all -- * * 192.168.122.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2 packets, 215 bytes)
num pkts bytes target prot opt in out source
destination
[root@virts ~]#
***************************************************************************************************************************************************
***************************************************************************************************************************************************
***************************************************************************************************************************************************
DOM0 + 2 DOMUS (FWB + VIRT-GEKO)
***************************************************************************************************************************************************
[root@virts ~]# xm create virt-geko
Using config file "/etc/xen/virt-geko".
Started domain virt-geko
[root@virts ~]# cat /etc/xen/virt-geko
name = "virt-geko"
uuid = "bd4497d9-6613-f595-fae1-4bf8bc4aea33"
maxmem = 1024
memory = 1024
vcpus = 1
bootloader = "/usr/bin/pygrub"
on_poweroff = "destroy"
on_reboot = "restart"
on_crash = "restart"
vfb = [ ]
disk = [ "tap:aio:/var/lib/xen/images/virt-geko.img,xvda,w" ]
vif = [ "mac=00:16:3e:16:ee:d4,bridge=xenbr0" ]
[root@virts ~]# xm list
Name ID Mem(MiB) VCPUs State Time(s)
Domain-0 0 1966 4 r----- 29.0
fwb 3 1023 1 -b---- 11.5
virt-geko 4 1023 1 -b---- 10.0
[root@virts ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:21:85:32:CA:8E
inet adr:172.20.25.2 Bcast:172.20.25.255 Masque:255.255.255.0
adr inet6: fe80::221:85ff:fe32:ca8e/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2974 errors:0 dropped:0 overruns:0 frame:0
TX packets:657 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:289702 (282.9 KiB) TX bytes:99221 (96.8 KiB)
lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:4280 errors:0 dropped:0 overruns:0 frame:0
TX packets:1015 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:434798 (424.6 KiB) TX bytes:150978 (147.4 KiB)
Mémoire:de340000-de360000
vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:672 errors:0 dropped:0 overruns:0 frame:0
TX packets:2981 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:102667 (100.2 KiB) TX bytes:290122 (283.3 KiB)
vif3.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:277 errors:0 dropped:0 overruns:0 frame:0
TX packets:1065 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:32
RX bytes:35891 (35.0 KiB) TX bytes:104128 (101.6 KiB)
vif4.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:127 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:32
RX bytes:888 (888.0 b) TX bytes:14191 (13.8 KiB)
virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet adr:192.168.122.1 Bcast:192.168.122.255 Masque:255.255.255.0
adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:0 (0.0 b) TX bytes:8216 (8.0 KiB)
xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:1592 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:115708 (112.9 KiB) TX bytes:0 (0.0 b)
- on DomO (when Dom0 is still routable) -
[root@virts ~]# ip route list
172.20.25.0/24 dev eth0 proto kernel scope link src 172.20.25.2
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link
default via 172.20.25.1 dev eth0
- on DomU which is not routable at the time => virt-geko, 172.20.25.7
[root@virt-samba ~]# ip route list
172.20.25.0/24 dev eth0 proto kernel scope link src 172.20.25.7
169.254.0.0/16 dev eth0 scope link
default via 172.20.25.1 dev eth0
- after a while (around 10 mn), DomO becomes unreachable from the outside world
but the route list is still the same as below -
[root@virts ~]# ip route list
172.20.25.0/24 dev eth0 proto kernel scope link src 172.20.25.2
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link
default via 172.20.25.1 dev eth0
[root@virts ~]# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.000000000000 yes
xenbr0 8000.feffffffffff no vif4.0
vif3.0
peth0
vif0.0
[root@virts ~]# brctl showmacs virbr0
port no mac addr is local? ageing timer
[root@virts ~]# brctl showmacs xenbr0
port no mac addr is local? ageing timer
2 00:00:85:83:0d:1f no 11.15
2 00:15:17:11:d0:60 no 16.16
2 00:15:17:12:11:24 no 1.15
4 00:16:3e:16:ee:d4 no 0.10
3 00:16:3e:1c:0f:0b no 6.02
2 00:18:8b:08:85:ae no 43.79
2 00:18:8b:08:86:27 no 24.35
2 00:18:8b:25:9e:f8 no 40.05
2 00:19:30:6f:ca:8f no 7.39
2 00:19:b9:67:8a:8f no 0.00
2 00:1a:a0:ae:54:25 no 20.77
2 00:1a:e2:ca:5f:00 no 4.14
2 00:1a:e3:4d:1b:0a no 0.50
2 00:1a:e3:4d:1b:43 no 23.17
2 00:1b:53:39:b3:00 no 3.43
1 00:21:85:32:ca:8e no 0.00
1 fe:ff:ff:ff:ff:ff yes 0.00
[root@virts ~]# /root/verif_iptables.sh
Table filter
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
5 1 40 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
7 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif3.0
8 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif4.0
Chain OUTPUT (policy ACCEPT 800 packets, 110K bytes)
num pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
3 0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
4 0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
5 0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.251 udp dpt:5353
6 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:631
7 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:631
8 1 40 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
9 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
10 0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Table nat
Chain PREROUTING (policy ACCEPT 656 packets, 81420 bytes)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 2 packets, 215 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 MASQUERADE all -- * * 192.168.122.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2 packets, 215 bytes)
num pkts bytes target prot opt in out source
destination
[root@virts ~]#
***************************************************************************************************************************************************
***************************************************************************************************************************************************
*************************************************************************************************************************************************** _______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|