WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working

from [Maik Brauer] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working
From: Maik Brauer <mailinglist@xxxxxxxxxxxxxxx>
Date: Sun, 13 May 2007 15:15:58 +0200
Delivery-date: Sun, 13 May 2007 06:14:36 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.0 (Macintosh/20070326) 
Hello,
after installing XEN 3.0.4-1 and setting up iptables for that, I've some problems with the ctstate traffic, which is blocked from IPtables. Below a short printout is available from my /var/log/kern.log: 
--------
May 13 17:05:13 debian4 kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:13:8f:0f:5b:c7:00:04:0e:66:da:c8:08:00 SRC=172.16.76.15 DST=172.16.76.99 LEN=117 TOS=0x00 PREC=0x00 TTL=64 ID=2091 PROTO=UDP SPT=53 DPT=32769 LEN=97 
---------
The DST is my Debian Linux Server and the SRC is the DSL-LAN Router which is connected to the Internet. 

My iptables-config is the following:

debian4:/boot# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination ACCEPT 0 -- anywhere anywhere ACCEPT tcp -- anywhere debian4.xxxxx.net tcp dpt:ssh ACCEPT 0 -- anywhere anywhere ctstate RELATED,ESTABLISHED LOG 0 -- anywhere anywhere LOG level warning DROP 0 -- anywhere anywhere 
Chain FORWARD (policy ACCEPT)
target prot opt source destination 
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So to avoid that the firewall will block the traffic though the bridge I can use the command: 

sysctl -w net.bridge.bridge-nf-call-iptables="0"
which is working. Then everthing is fine. But this is not the real solution. It should work without this. 
So my question is now, did I forget something or is this a known bug in XEN.

Is anybody who is sharing this problem with me

Thanks
Regards,
Maik Brauer

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] unusable dom0 performance, Nico Kadel-Garcia
Next by Date:  [Xen-users] HVMxen change command is disabled, Mohammad Zohny
Previous by Thread:  [Xen-users] DomU: failed to bring up eth0, Gerhard Wendebourg
Next by Thread:  [Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working, Tim Barbour
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy