WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working
From: Maik Brauer <mailinglist@xxxxxxxxxxxxxxx>
Date: Sun, 13 May 2007 15:15:58 +0200
Delivery-date: Sun, 13 May 2007 06:14:36 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.0 (Macintosh/20070326)
Hello,

after installing XEN 3.0.4-1 and setting up iptables for that, I've some problems with the ctstate traffic, which is blocked from IPtables. Below a short printout is available from my /var/log/kern.log:
--------
May 13 17:05:13 debian4 kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:13:8f:0f:5b:c7:00:04:0e:66:da:c8:08:00 SRC=172.16.76.15 DST=172.16.76.99 LEN=117 TOS=0x00 PREC=0x00 TTL=64 ID=2091 PROTO=UDP SPT=53 DPT=32769 LEN=97
---------
The DST is my Debian Linux Server and the SRC is the DSL-LAN Router which is connected to the Internet.

My iptables-config is the following:

debian4:/boot# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination ACCEPT 0 -- anywhere anywhere ACCEPT tcp -- anywhere debian4.xxxxx.net tcp dpt:ssh ACCEPT 0 -- anywhere anywhere ctstate RELATED,ESTABLISHED LOG 0 -- anywhere anywhere LOG level warning DROP 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

So to avoid that the firewall will block the traffic though the bridge I can use the command:

sysctl -w net.bridge.bridge-nf-call-iptables="0"


which is working. Then everthing is fine. But this is not the real solution. It should work without this.
So my question is now, did I forget something or is this a known bug in XEN.

Is anybody who is sharing this problem with me

Thanks
Regards,
Maik Brauer

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>