This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] dom0 iptables

To: <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] dom0 iptables
From: "Mark Chaney" <macscr@xxxxxxxxxx>
Date: Mon, 4 May 2009 14:42:15 -0500
Delivery-date: Mon, 04 May 2009 12:43:08 -0700
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=macscr.com; h=Received:From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:X-Mailer:thread-index:Content-Language:X-soundwave-MailScanner-Information:X-soundwave-MailScanner-ID:X-soundwave-MailScanner:X-soundwave-MailScanner-SpamCheck:X-soundwave-MailScanner-From; b=AG7oHJyvmE6QjF2Q958iDCJvuAJxsPTt7DJvNPVtmFnryPVknO3Qm6biVDvYWykXRZ1ajHOjhrXuWldV+E2uzcUoozu2KD+qBPUbFbCS2V+dBKos+eRHB/Whl9EbbwlE;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcnM8G0RIr1cCG4WSCWfMG+wSjwFqg==

Ok, I am setting up a new dom0 at a colo provider and usually the colo facility acts as my gateway, but at this new one, the provider is recommending that I use the server as its own gateway. That unfortunately doesnt work to well when it comes to iptables and my domU's. IPtables do not support virtual interfaces, so I can't just white list them unfortunately. I have tried many different iptable rules, but still can't seem to allow the guests to have unfiltered access to and from the internet without shutting down the iptables on the dom0. Obviously thats not an option.


I have tried these two rules, but no difference:


iptables -I INPUT 1 -d 207.xxx.xxx.0/30 -j ACCEPT
iptables -I OUTPUT 1 -s 207.xxx.xxx.0/30 -j ACCEPT


Any recommendations? I am running CentOS as the dom0 and an hoping to be able to continue to use my CSF firewall script, but at this point, if I can only get help with iptables, thats fine as well.






Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>