This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Issues with Xen and iptables

To: Rainer Sokoll <rainer@xxxxxxxxxx>
Subject: Re: [Xen-users] Issues with Xen and iptables
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Date: Fri, 29 Jan 2010 20:34:39 +0700
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 29 Jan 2010 05:35:17 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20100129092932.GB4838@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20100129092932.GB4838@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On Fri, Jan 29, 2010 at 4:29 PM, Rainer Sokoll <rainer@xxxxxxxxxx> wrote:
> So my question is: are there issues with netfilter and Xen (in my case,
> still 3.1)?
> Any hint is appreciated,

I don't quite understand what you're trying to achieve (why are you
using NAT over  vpn?), but here are some general pointers:
- the best practice is to run as little service as possible on dom0. I
usually use a dedicated domU if I need a router/firewall.
- having dom0 as firewall can be a little complicated (although
possible) when you use the default bridged setup due to device name
changes. I usually use OS networking scripts to create bridges. Also
be careful about filtering bridged traffic.
- looking at your SNAT example, it might be easier to simply use
MASQUARADE. For example, this is what network-manager does when you
create an ad-hoc wireless network: /sbin/iptables --table nat --insert
POSTROUTING --source --destination ! --jump MASQUERADE
- openvpn works just fine on dom0 or domU. Same setup (choice of
tun/tap, bridge setup, etc.) that you'd do on a normal box.


Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>