Re: [Xen-users] iptables in dom0 with bridge: no more outbound c

To:	Peter Fokkinga <peter@xxxxxxxxxxx>
Subject:	Re: [Xen-users] iptables in dom0 with bridge: no more outbound connections
From:	Nico Kadel-Garcia <nkadel@xxxxxxxxx>
Date:	Fri, 29 Dec 2006 16:40:21 +0000
Cc:	xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Fri, 29 Dec 2006 08:40:14 -0800
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=GfSr21D87rT9q99ygy/VBABlQukIbrvwcumZzxGE2zE+6hxnhINJUQmEJ1JHFkCkhwsY072MCMx4pHcR1qk5m65Xh7lAyTqPYmUyCCUlEqZKg7k2i+U5KZXcWm3VKWdLiQrRTBsdzx15zOLS5wHH7OPszh8630LZybyzuKRnn/A=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
In-reply-to:	<20061229162546.1r02ekiiowoos8c8@xxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<20061229162546.1r02ekiiowoos8c8@xxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Thunderbird 1.5.0.9 (Windows/20061207)

Peter Fokkinga wrote:

After successfully consolidating my servers at home with Xen I
wanted to do the same at work. Unfortunately, I ran into a
networking anomaly that baffles my mind...

What I'm looking for is a real simple setup: a dom0 and 4 domU's
that are all directly accessible; in other words, no NAT required,
each dom has a "real" (public) ip address in our 129.125. range
(that's University of Groningen, the Netherlands in case you're
wondering).

Even though I have no need for iptables to do NAT, I _do_ want
to protect each dom, including dom0, with its own firewall. And
here the problems start.

When I boot into dom0 (Xen 3.0.4 patched to kernel 2.6.16.36), but
without starting xend, things are fine (iptable rules are active
at this point). Yet, after I have started xend (and xenbr0 appears
in my ifconfig output) I am unable to make connections to remote
hosts (dns lookups fail, ping to ip addresses fail, etc). Strange!

Now for the real spooky part:
  1. I booted into dom0 (no xend)
  2. executed `telnet 129.125.14.12 daytime`, it works
  3. started xend
  4. executed `telnet 129.125.14.12 daytime`, it still works (surprise!)
  5. executed `telnet 129.125.14.13 daytime`, it does not work

DNS cache, I think.

Wierd, so I rebooted the machine and tried again except for step 2
and the result was the same. Two days later I tried another time
(again leaving out step 2) and now step 4 gives no response...

When I disable the firewall (iptables -F) everything is fine.

My minimal firewall script:
iptables -F
iptables -A INPUT -p tcp --dport ssh   -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

Another observation: with the above firewall in place I can ssh into
dom0, but it takes about 30 seconds to connect; without firewall it
is almost instantaneous.

Reverse DNS being attempted by Dom0 as part of SSHD logging, andfailing. Try restarting the SSHD with the "-u0" option to turn this off.

Now I'm a programmer, not a network engineer. And I don't have a
clue how to go from here (i.o.w. I can run tcpdump, but don't know
what to look for). So suggestions are greatly appreciated!

Cheers, Peter

It's been discussed before: I haven't had a chance to pursue it, myself.Basically, after you start Xend, traffic going *out* from Dom0 goesthrough peth0, as near as I can tell, not eth0.


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] iptables in dom0 with bridge: no more outbound connectio