WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Xen and IPtables

yes

it worked for me !
iptables -t mangle -A PREROUTING -d <ip of dom0> -i <bridge> -p tcp --dport ! 
ssh  -j DROP

Bhasker C V
Registered linux user #306349


On Thu, 30 Apr 2009, Fajar A. Nugraha wrote:

On Thu, Apr 30, 2009 at 3:27 PM, James Clemence
<jamesvclemence@xxxxxxxxxxxxxx> wrote:
I have been able to filter for the domUs via the forward chain taking out
the packets to each domU to a specific chain for that domU, and then handle
the packets with ACCEPT/DROP, as per usual.

-m physdev  --physdev-in peth0 --physdev-out vif${DOMUID}.0 -j <DOMU chain>

However, I blanked on where to get hold of the traffic to the dom0? Does
that go to FORWARD too? Or does it simply hit INPUT?

Shouldn't that be basic iptables stuff?
If dom0 is not a router, INPUT should be enough. If it's a firewall or
router, packages going through dom0 will be on FORWARD.

As a side note, if you want to prevent iptables managing bridge
traffic altogether you might want to use

net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

on /etc/sysctl.conf, and run "sysctl -p" afterwards.

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>