WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Xen-users] Prob Connecting VM through http or ssh

from [Dustin Henning] [Permanent Link][Original]
To: "'Mahendra Kutare'" <mahendra.kutare@xxxxxxxxx>, "'xen-users'" <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Prob Connecting VM through http or ssh
From: "Dustin Henning" <Dustin.Henning@xxxxxxxxxxx>
Date: Wed, 6 Aug 2008 11:09:38 -0400
Cc:
Delivery-date: Wed, 06 Aug 2008 08:10:23 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <669f1ab30808060716u6b6dd17cxe5876a165d56bc93@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: PRD, Inc.
References: <669f1ab30808060659u1b49b036j7ee1e9560f63330a@xxxxxxxxxxxxxx> <6324604609838612778@unknownmsgid> <669f1ab30808060716u6b6dd17cxe5876a165d56bc93@xxxxxxxxxxxxxx>
Reply-to: Dustin.Henning@xxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acj3zxmbp5s/9ojkT/Ogwzv79b/q0wABF0+Q 
       Actually, this all looks like it should work.  In fact, it looks like 
all traffic would be allowed in both of these iptables configurations based 
solely on the fact that the policy on each chain is ACCEPT and there is no rule 
at the end of any chain to reject or drop all traffic (nor any rule elsewhere 
to reject or drop specific traffic).  Perhaps something else is running on the 
DomU and rejecting traffic, as this access denied message certainly makes it 
look like you have a layer 3 path to this VM (where a timeout would indicate 
you didn't).  To verify where the problem lies, I would try to ssh from Dom0 to 
DomU. I suspect you will get the same access denied error, which would most 
likely mean that the DomU is rejecting the traffic for some reason.  Otherwise, 
perhaps the IP you assigned the DomU is being used elsewhere or something else 
on the Dom0 is rejecting the traffic.
        Dustin

From: Mahendra Kutare [mailto:mahendra.kutare@xxxxxxxxx] 
Sent: Wednesday, August 06, 2008 10:17
To: Dustin.Henning@xxxxxxxxxxx; xen-users
Subject: Re: [Xen-users] Prob Connecting VM through http or ssh

This is how my DOM0 - IP table look like -

[root@gdrd59 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webcache 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            PHYSDEV match 
--physdev-in vif6.0 
ACCEPT     all  --  anywhere             anywhere            PHYSDEV match 
--physdev-in eth0 ! --physdev-out eth0 
ACCEPT     all  --  anywhere             anywhere            PHYSDEV match ! 
--physdev-in eth0 --physdev-out eth0 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
############################################################################################################
domU IP Table looks like this -

[root@besim ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     all  --  anywhere             anywhere            state 
RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    
############################################################################################################
So as can be seen dom0 as forwarding table entry here. Am i doing something 
wrong in forwarding ?

Thanks
Mahendra
On Wed, Aug 6, 2008 at 10:08 AM, Dustin Henning <Dustin.Henning@xxxxxxxxxxx> 
wrote:
       Your VM probably has its own firewall/iptables configuration…  This 
would need reconfigured along with the one on Dom0.  If you don't have 
firewall/iptables on your DomU, then perhaps your rules in the iptables 
Forwarding table on Dom0 are wrong.  Traffic going to a DomU will go through 
the Forwarding table instead of the Incoming table where traffic for Dom0 goes, 
I believe this would be true for both bridging and routing.
       Dustin

From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Mahendra Kutare
Sent: Wednesday, August 06, 2008 09:59
To: Xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Prob Connecting VM through http or ssh
Hi ,

I am a newbie to Xen. I created a VM and associated an IP address.

Next, i disabled firewall and on ip tables allowed port 80, 22 and 8080 (for my 
tomcat installation) .

I started httpd on VM (domU) and dom0.

After that I tried connecting to dom0 httpd (webserver) port 80 from another 
physical server. This works and shows me the correct page when i do - 
http://<dom0-machine-ip>:80/. Then i try ssh to dom0 machine it works.

But when i try to do the same for VM (domU) on dom0 on browser as  - 
http://<domU-VM-ip>:80/ it does not work. Also when i try ssh to domU machine 
ip it says - Access Denied.

Please help me resolve this. What it is that i am missing here ?

Thanks
Mahendra



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



-- 
Only those who can risk going too far, can find out how far one can go.



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] Security audits and compliances, bbmailing
Next by Date:  RE: [Xen-users] Security audits and compliances, Dustin Henning
Previous by Thread:  Re: [Xen-users] Prob Connecting VM through http or ssh, Mahendra Kutare
Next by Thread:  [Xen-users] Security audits and compliances, bbmailing
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy