This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] dom0 iptables

To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] dom0 iptables
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Date: Tue, 5 May 2009 10:48:45 +0700
Delivery-date: Mon, 04 May 2009 20:49:24 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <003f01c9ccf0$6e925170$4bb6f450$@com>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <AcnM8G0RIr1cCG4WSCWfMG+wSjwFqg==> <003f01c9ccf0$6e925170$4bb6f450$@com>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On Tue, May 5, 2009 at 2:42 AM, Mark Chaney <macscr@xxxxxxxxxx> wrote:
> Ok, I am setting up a new dom0 at a colo provider and usually the colo
> facility acts as my gateway, but at this new one, the provider is
> recommending that I use the server as its own gateway. That unfortunately
> doesnt work to well when it comes to iptables and my domU's. IPtables do not
> support virtual interfaces, so I can't just white list them unfortunately.

If I recall correctly, xen network bridge whitelist domUs by default.
Something like

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --             PHYSDEV
match --physdev-in vif2.0

You can use domU's vif interface as physdev. When setting up iptables
manually, it might be easier to use custom vif name using
"vifname=NAME" on vif line.

> I have tried these two rules, but no difference:
> iptables -I INPUT 1 -d 207.xxx.xxx.0/30 -j ACCEPT
> iptables -I OUTPUT 1 -s 207.xxx.xxx.0/30 -j ACCEPT

I believe that should be on FORWARD



Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>