WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working

from [Tim Barbour] [Permanent Link][Original]
To: Maik Brauer <mailinglist@xxxxxxxxxxxxxxx>
Subject: [Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working
From: Tim Barbour <trb@xxxxxxxxx>
Date: Sun, 13 May 2007 13:08:39 -0700
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Comments: Hyperbole mail buttons accepted, v04.18.
Delivery-date: Tue, 15 May 2007 01:48:16 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <46470F8E.2080807@xxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <46470F8E.2080807@xxxxxxxxxxxxxxx>
Reply-to: trb@xxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
Maik Brauer writes:
 > after installing XEN 3.0.4-1 and setting up iptables for that, I've some 
 > problems with the ctstate traffic, which is
 > blocked from IPtables. Below a short printout is available from my 
 > /var/log/kern.log:
 > --------
 > May 13 17:05:13 debian4 kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
 > MAC=00:13:8f:0f:5b:c7:00:04:0e:66:da:c8:08:00 SRC=172.16.76.15 
 > DST=172.16.76.99 LEN=117 TOS=0x00 PREC=0x00 TTL=64 ID=2091 PROTO=UDP 
 > SPT=53 DPT=32769 LEN=97

I recently upgraded to Xen 3.0.4-1, and encountered the same (or very similar)
problem.

May 13 12:51:25 elysium INPUT IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0
MAC=00:0f:ea:43:13:6a:00:14:bf:94:c1:0f:08:00 SRC=199.7.66.1 DST=10.137.1.1
LEN=268 TOS=0x00 PREC=0x00 TTL=58 ID=62618 DF PROTO=UDP SPT=53 DPT=33689 LEN=248

My firewall rules are automatically generated (from a Haskell script), and
worked fine with the earlier version of Xen. The rules are a bit lengthy, so I
have appended a cut-down version of them at the end of this message (the omitted
rules deal with other ports, which should be irrelevant).

 > So to avoid that the firewall will block the traffic though the bridge I 
 > can use the command:
 > 
 > sysctl -w net.bridge.bridge-nf-call-iptables="0"

This also restores traffic for me - thank you.

 > which is working. Then everthing is fine. But this is not the real 
 > solution. It should work without this.
 > So my question is now, did I forget something or is this a known bug in XEN.

I have the same question.

 > Is anybody who is sharing this problem with me

I think I am.

Tim

---

Chain INPUT (policy ACCEPT 507 packets, 83922 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:SYN,RST/SYN,RST 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN/FIN,SYN 
 7129 2290K ACCEPT     all  --  any    any     anywhere             anywhere    
        state RELATED,ESTABLISHED 
    2   264 ACCEPT     tcp  --  eth0   any     anywhere             anywhere    
        tcp dpt:ssh limit: avg 3/sec burst 5 
    0     0 ACCEPT     tcp  --  eth0   any     anywhere             anywhere    
        tcp dpt:domain limit: avg 3/sec burst 5 
   68  4154 ACCEPT     udp  --  eth0   any     anywhere             anywhere    
        udp dpt:domain limit: avg 3/sec burst 5 
  266 15992 ACCEPT     all  --  lo     any     anywhere             anywhere    
        /* Accept everything on loop back (lo) */ 
    3   252 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp echo-reply limit: avg 3/sec burst 5 
    1    88 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp destination-unreachable limit: avg 3/sec burst 5 
    1    84 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp echo-request limit: avg 3/sec burst 5 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp time-exceeded limit: avg 3/sec burst 5 
   90 15357 LOG        all  --  any    any     anywhere             anywhere    
        LOG level warning prefix `INPUT ' 
   90 15357 DROP       all  --  any    any     anywhere             anywhere    
        

Chain FORWARD (policy ACCEPT 823 packets, 631K bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:SYN,RST/SYN,RST 
    0     0 DROP       tcp  --  any    any     anywhere             anywhere    
        tcp flags:FIN,SYN/FIN,SYN 
  139 20954 ACCEPT     all  --  any    any     anywhere             anywhere    
        state RELATED,ESTABLISHED 
   44  3112 ACCEPT     all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-in vif0.0 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-in rat.0 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-in rat.0 
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere    
        PHYSDEV match --physdev-in pro.0 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere    
        tcp dpt:ssh PHYSDEV match --physdev-out vif0.0 limit: avg 3/sec burst 5 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere    
        tcp dpt:domain PHYSDEV match --physdev-out vif0.0 limit: avg 3/sec 
burst 5 
    1    57 ACCEPT     udp  --  any    any     anywhere             anywhere    
        udp dpt:domain PHYSDEV match --physdev-out vif0.0 limit: avg 3/sec 
burst 5 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere    
        tcp dpt:ssh PHYSDEV match --physdev-out rat.0 limit: avg 3/sec burst 5 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere    
        tcp dpt:ssh PHYSDEV match --physdev-out pro.0 limit: avg 3/sec burst 5 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp echo-reply limit: avg 3/sec burst 5 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp destination-unreachable limit: avg 3/sec burst 5 
    3   252 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp echo-request limit: avg 3/sec burst 5 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere    
        icmp time-exceeded limit: avg 3/sec burst 5 
    9  1161 LOG        all  --  any    any     anywhere             anywhere    
        LOG level warning prefix `FORWARD ' 
    9  1161 DROP       all  --  any    any     anywhere             anywhere    
        

Chain OUTPUT (policy ACCEPT 470 packets, 560K bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
 7819 4710K ACCEPT     all  --  any    any     anywhere             anywhere    
        

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Xen-users] Upgrade Proceedure, Ian Tobin
Next by Date:  [Xen-users] Re: [Bridge] Performance and limitations of virtual bridges, Stephen Hemminger
Previous by Thread:  [Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working, Maik Brauer
Next by Thread:  [Xen-users] HVMxen change command is disabled, Mohammad Zohny
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy