[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Network issues with SuSE firewall

  • To: xen-devel@xxxxxxxxxxxxxxxxxxxxx
  • From: "Gregory Newby" <newby@xxxxxxxx>
  • Date: Fri, 7 Nov 2003 15:30:17 -0900
  • Delivery-date: Sat, 08 Nov 2003 00:31:34 +0000
  • List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
On Fri, Nov 07, 2003 at 10:53:59PM +0000, Ian Pratt wrote:
> 
> > > I'm afraid I'm not entirely surprised that xen_nat_enable doesn't
> > > play well with your firewall. 
> > 
> > I'll do a little more diagnosis in the future.  What I think
> > happened, though, is that the NAT's nat* rules somehow discarded
> > the filter* rules.  I was also getting some complaints about
> > mangle* needing to load the iptables module, which was not found
> > (this was when I was trying to re-add my default rules).
> 
> I fear the xen_nat_enable script basically does a 'flush all
> rules' to start with. Someone who understands iptables better
> should be able to fix this...

Aha....easy to do.  I just commented out the lines that flush
the existing filter rules in xen_nat_enable:

# run_iptables -t filter -F
# run_iptables -t filter -X

I can now run xen_nat_enable and it leaves my existing filter
rules in place.  The existing filter rules are extremely
permissive.

> > 2) Hmmm -- this does not work.  Any quick guess what to try fixing?
> 
> > $ xenctl domain list
> > id: 0 (Domain-0)
> >   processor: 0
> >   has cpu: true
> >   state: 0 active
> >   mcu advance: 10
> >   total pages: 192000
> > id: 2 (XenoLinux)
> >   processor: 0
> >   has cpu: false
> >   state: 1 stopped
> >   mcu advance: 10
> >   total pages: 24576
> 
> Did you start a domain 1 that then exited? 

Yes, I had domain 1 that I stopped then killed.
After starting domain 2, I still can't connect.  Details below.

> The IP address of you're currently running domain (id: 2) should
> be 169.254.1.2
> 
> "state: 1 stopped" doesn't look good, though. Have you actually
> "xenctl domain start"'ed the domain?

$ xenctl script -f/etc/xen-mydom  (the default script)
$ xenctl domain start -n2
$ xenctl domain list
id: 0 (Domain-0)
  processor: 0
  has cpu: true
  state: 0 active
  mcu advance: 10
  total pages: 192000
id: 2 (XenoLinux)
  processor: 0
  has cpu: false
  state: 0 active
  mcu advance: 10
  total pages: 24576

$ ifconfig eth0:0
eth0:0    Link encap:Ethernet  HWaddr 00:B0:D0:DF:FA:ED  
          inet addr:169.254.1.0  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

(I'll use raw telnet to better diagnose the failures):
The system I'm using is 137.229.71.6, statically assigned.

works:          telnet 169.254.1.0 22
times out:      telnet 169.254.1.2 22
connection refused:  telnet 169.254.1.0 2202
connection refused:  telnet 137.229.71.6 2202

It looks to me like either the built-in firewall is blocking incoming
access at 169.254.1.2 (the virtual domain), or the virtual domain is
simply unable to access the network connection.

As I mentioned in my other message, it would be great to be able to
see console messages, but they are either being firewalled or
otherwise redirected.
  -- Greg


-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.