WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly

from [Maik Brauer] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly
From: Maik Brauer <mailinglist@xxxxxxxxxxxxxxx>
Date: Thu, 19 Apr 2007 10:24:52 +0200
Cc: Christo Buschek <crito@xxxxxxxxxx>
Delivery-date: Thu, 19 Apr 2007 01:22:07 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <1176968610.3967.2.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <462717BC.6020602@xxxxxxxxxxxxxxx> <1176968610.3967.2.camel@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.0 (Windows/20070326) 
Hello,

this is not working in my case.
The Problem still exist.
If this is a real problem, some other people should have the same issue.

Are there any suggestions ??

Regards
Maik


Christo Buschek wrote:

Hello Maik.

I don't really have an explanation for you, but for me to make iptables
work I had to run 'ethtool -K eth0 tx off' inside the vm and dom0 on the
device. That made iptables work for me.

Maybe it also helps you.

greetinx
Christo

On Thu, 2007-04-19 at 09:18 +0200, Maik Brauer wrote:

Hello,

I've installed XEN3.0.4-1 and problems with the IPtables settings.
Please see below the firewall settings for Domain0:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             mbs-rootsrv         tcp dpt:ssh
ACCEPT 0 -- anywhere anywhere ctstate RELATED,ESTABLISHED LOG 0 -- anywhere anywhere LOG level warning 
DROP       0    --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
But then for example connection which are related to a server request (DNS requests / port53, etc) will be blocked by the firewall. 
Here is an example of an request:
Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53 Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=26.104.239.90 DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00 TTL=55 ID=44193 PROTO=UDP SPT=31178 DPT=1026 LEN=373 Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53 Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.100.100 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32805 LEN=53 Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53 Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53
When I flush the Iptables or I will put in each request then everthing is working fine. But you never now which server will answer to a request, so it is impossible to configure all ip-addresses. This should be done due to the line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
which is unfortunately not working.

What is the problem and the solution ?
Many Thanks.

Kind Regards,
Maik Brauer



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] exec of init (/sbin/init) failed!!!: No such file or directory, Emre ERALTAN
Next by Date:  Re: [Xen-users] exec of init (/sbin/init) failed!!!: No such file ordirectory, Akio Takebe
Previous by Thread:  Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly, Christo Buschek
Next by Thread:  Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly, Brad Plant
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy