This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xen-users] iptables problem

To: "'Sergey Smirnov'" <sergey.a.smirnov@xxxxxxxxx>, "'Ivan Lisenkov'" <ivan@xxxxxxxxx>
Subject: RE: [Xen-users] iptables problem
From: "Dustin Henning" <Dustin.Henning@xxxxxxxxxxx>
Date: Wed, 14 Oct 2009 11:51:11 -0400
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 14 Oct 2009 08:52:06 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <d85efea30910140837k7bd26bc0gf3dd5911c755db15@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: PRD, Inc.
References: <47e279b60910130331ib80c667q55e73969a5efda66@xxxxxxxxxxxxxx> <d85efea30910140837k7bd26bc0gf3dd5911c755db15@xxxxxxxxxxxxxx>
Reply-to: Dustin.Henning@xxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcpM5GaJ+FhsHVR/QICK/APx48FU+wAAUS5w
Depending on your security needs, and the constraints of your kernel, a 
simpler, potentially less resource-intensive solution might be adding this line 
to the iptables configuration:

-A FORWARD -m physdev  --physdev-is-bridged -j ACCEPT

I use this setup, but I manage all of the domUs on that machine, so they don't 
need restricted at the bridge level.


From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
[mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Sergey Smirnov
Sent: Wednesday, October 14, 2009 11:37
To: Ivan Lisenkov
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] iptables problem

Hi Ivan,

maybe you should add the permanent rules in the bottom of your iptables 
configuration like this? -

-A FORWARD --source domU_ip --jump ACCEPT
-A FORWARD --destination domU_ip --jump ACCEPT

so it will be works in any time without additional rules added by xen scripts.
I use the same configuration.

On Tue, Oct 13, 2009 at 2:31 PM, Ivan Lisenkov <ivan@xxxxxxxxx> wrote:
Dear xen users,

I am using xen 3.3.1 on opensuse 11.1. After creating a domU with 2 nics two 
iptables rules are created by default:

-A FORWARD -s XX.XX.XX.24/32 -m physdev  --physdev-in vif77.0 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.0 -m udp --sport 68 --dport 67 
-A FORWARD -s XX.XX.XX.25/32 -m physdev  --physdev-in vif77.1 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.1 -m udp --sport 68 --dport 67 

The rules seems logical, but one of them does no work! I can't ping XX.XX.XX.24 
from outside. But if I change the rule manulally to:

-A FORWARD -s -m physdev  --physdev-in vif77.1 -j ACCEPT

everything works. This seems unlogical, because first ip is bounded to second 
nic, but works. The problem is that I have to change the rules every I reboot 

Any ideas how to fix it?

Xen-users mailing list

Serg Smirnov
email/xmpp: Sergey.A.Smirnov@xxxxxxxxx

Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>