This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] iptables problem

To: Ivan Lisenkov <ivan@xxxxxxxxx>
Subject: Re: [Xen-users] iptables problem
From: Sergey Smirnov <sergey.a.smirnov@xxxxxxxxx>
Date: Wed, 14 Oct 2009 19:37:10 +0400
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 14 Oct 2009 08:38:32 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type; bh=WXGJaYSx6cQO7aKQiIC1twqMeplixxHLX4FUAsIcMgU=; b=s/k6RR4AccLu/XLcTKkQAFfTcGnGYnVom3XHRvcyjIAOv+/Yj6ObyH6hnb9bQDV7nu Qlr1fAipVXoWf9wKDYFedJyiti26DzaQl7clktkSxkp50nrmyUnjgkS6xNEkBZsJQ90r v1h95Hk3oPxEIVTzszFIqKyZpdkhMjBaHAWo4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=Pot0wZP3t30JT3oyKmyJ6MrOzdfe+tjXyuVPH9bZayy3sDtcsmztdGNDVXg6UR7IjL O2jmkulJ0+Ne3RJGm/MkNYCXAqKYdIwumtYDtuR7koCqe8/4m4bl5adESmES0QSizvLP C9rzI4eDLHeCLLEJAEd8xLSOVLTIsk6uD66Jc=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <47e279b60910130331ib80c667q55e73969a5efda66@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <47e279b60910130331ib80c667q55e73969a5efda66@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi Ivan,

maybe you should add the permanent rules in the bottom of your iptables configuration like this? -

-A FORWARD --source domU_ip --jump ACCEPT
-A FORWARD --destination domU_ip --jump ACCEPT

so it will be works in any time without additional rules added by xen scripts.
I use the same configuration.

On Tue, Oct 13, 2009 at 2:31 PM, Ivan Lisenkov <ivan@xxxxxxxxx> wrote:
Dear xen users,

I am using xen 3.3.1 on opensuse 11.1. After creating a domU with 2 nics two iptables rules are created by default:

-A FORWARD -s XX.XX.XX.24/32 -m physdev  --physdev-in vif77.0 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.0 -m udp --sport 68 --dport 67 -j ACCEPT
-A FORWARD -s XX.XX.XX.25/32 -m physdev  --physdev-in vif77.1 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.1 -m udp --sport 68 --dport 67 -j ACCEPT

The rules seems logical, but one of them does no work! I can't ping XX.XX.XX.24 from outside. But if I change the rule manulally to:

-A FORWARD -s -m physdev  --physdev-in vif77.1 -j ACCEPT

everything works. This seems unlogical, because first ip is bounded to second nic, but works. The problem is that I have to change the rules every I reboot domu.

Any ideas how to fix it?

Xen-users mailing list

Serg Smirnov
email/xmpp: Sergey.A.Smirnov@xxxxxxxxx

Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>