Hi All, for some reason iptables wont load on dom0 although they are loading fine on all the guest domains. I built the xen 3 kernel on the machine. I checked that iptables were included. I can''t figure out why it wont load. I''m not getting any useful errors:- "Applying iptables firewall rules: iptables-restore: line 27 failed" - line 22 is COMMIT. The iptables file is identical to the domU one that works. Any help would be much appreciated. I don''t like the idea of dom0 being wide open. Lyle ------------------------------------------------------------ Lyle Hopkins - CosmicPerl.com CGI Scripts - Internet software solutions for the professional webmaster Email: webmaster@cosmicperl.com Web site: http://www.cosmicperl.com Specializing in Affiliate Software solutions ------------------------------------------------------------ _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
By the way on Fedora Core 4, dual opteron, 4GB ram.
Lyle
------------------------------------------------------------
Lyle Hopkins - CosmicPerl.com CGI Scripts -
Internet software solutions for the professional webmaster
Email: webmaster@cosmicperl.com
Web site: http://www.cosmicperl.com
Specializing in Affiliate Software solutions
------------------------------------------------------------
----- Original Message -----
From: Xen
To: xen-users@lists.xensource.com
Sent: Saturday, February 18, 2006 12:13 AM
Subject: [Xen-users] IPtables working on domU but not dom0
Hi All,
for some reason iptables wont load on dom0 although they are loading fine on
all the guest domains. I built the xen 3 kernel on the machine. I checked that
iptables were included. I can''t figure out why it wont load.
I''m not getting any useful errors:-
"Applying iptables firewall rules: iptables-restore: line 27 failed"
- line 22 is COMMIT. The iptables file is identical to the domU one that works.
Any help would be much appreciated. I don''t like the idea of dom0
being wide open.
Lyle
------------------------------------------------------------
Lyle Hopkins - CosmicPerl.com CGI Scripts -
Internet software solutions for the professional webmaster
Email: webmaster@cosmicperl.com
Web site: http://www.cosmicperl.com
Specializing in Affiliate Software solutions
------------------------------------------------------------
------------------------------------------------------------------------------
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Hi,
Can anyone shed light on this? Is there other firewall software I could try
that wouldn''t conflict?
Lyle
------------------------------------------------------------
Lyle Hopkins - CosmicPerl.com CGI Scripts -
Internet software solutions for the professional webmaster
Email: webmaster@cosmicperl.com
Web site: http://www.cosmicperl.com
Specializing in Affiliate Software solutions
------------------------------------------------------------
----- Original Message -----
From: Xen
To: xen-users@lists.xensource.com
Sent: Saturday, February 18, 2006 2:04 AM
Subject: Re: [Xen-users] IPtables working on domU but not dom0
By the way on Fedora Core 4, dual opteron, 4GB ram.
Lyle
------------------------------------------------------------
Lyle Hopkins - CosmicPerl.com CGI Scripts -
Internet software solutions for the professional webmaster
Email: webmaster@cosmicperl.com
Web site: http://www.cosmicperl.com
Specializing in Affiliate Software solutions
------------------------------------------------------------
----- Original Message -----
From: Xen
To: xen-users@lists.xensource.com
Sent: Saturday, February 18, 2006 12:13 AM
Subject: [Xen-users] IPtables working on domU but not dom0
Hi All,
for some reason iptables wont load on dom0 although they are loading fine
on all the guest domains. I built the xen 3 kernel on the machine. I checked
that iptables were included. I can''t figure out why it wont load.
I''m not getting any useful errors:-
"Applying iptables firewall rules: iptables-restore: line 27
failed" - line 22 is COMMIT. The iptables file is identical to the domU one
that works.
Any help would be much appreciated. I don''t like the idea of dom0
being wide open.
Lyle
------------------------------------------------------------
Lyle Hopkins - CosmicPerl.com CGI Scripts -
Internet software solutions for the professional webmaster
Email: webmaster@cosmicperl.com
Web site: http://www.cosmicperl.com
Specializing in Affiliate Software solutions
------------------------------------------------------------
----------------------------------------------------------------------------
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
------------------------------------------------------------------------------
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Have a look at this: http://www.shorewall.net/Xen.html Even if you don''t use shorewall it might be helpful. Regards, David Koski david.nospham@kosmosisland.com On Monday 20 February 2006 08:17 am, Xen wrote:> Hi, > Can anyone shed light on this? Is there other firewall software I could try that wouldn''t conflict? > > Lyle > > ------------------------------------------------------------ > Lyle Hopkins - CosmicPerl.com CGI Scripts - > Internet software solutions for the professional webmaster > Email: webmaster@cosmicperl.com > Web site: http://www.cosmicperl.com > Specializing in Affiliate Software solutions > ------------------------------------------------------------ > ----- Original Message ----- > From: Xen > To: xen-users@lists.xensource.com > Sent: Saturday, February 18, 2006 2:04 AM > Subject: Re: [Xen-users] IPtables working on domU but not dom0 > > > By the way on Fedora Core 4, dual opteron, 4GB ram. > > > Lyle > > ------------------------------------------------------------ > Lyle Hopkins - CosmicPerl.com CGI Scripts - > Internet software solutions for the professional webmaster > Email: webmaster@cosmicperl.com > Web site: http://www.cosmicperl.com > Specializing in Affiliate Software solutions > ------------------------------------------------------------ > ----- Original Message ----- > From: Xen > To: xen-users@lists.xensource.com > Sent: Saturday, February 18, 2006 12:13 AM > Subject: [Xen-users] IPtables working on domU but not dom0 > > > Hi All, > for some reason iptables wont load on dom0 although they are loading fine on all the guest domains. I built the xen 3 kernel on the machine. I checked that iptables were included. I can''t figure out why it wont load. I''m not getting any useful errors:- > "Applying iptables firewall rules: iptables-restore: line 27 failed" - line 22 is COMMIT. The iptables file is identical to the domU one that works. > > Any help would be much appreciated. I don''t like the idea of dom0 being wide open. > > > Lyle > > ------------------------------------------------------------ > Lyle Hopkins - CosmicPerl.com CGI Scripts - > Internet software solutions for the professional webmaster > Email: webmaster@cosmicperl.com > Web site: http://www.cosmicperl.com > Specializing in Affiliate Software solutions > ------------------------------------------------------------ > > > ---------------------------------------------------------------------------- > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi All, Ok, I''m still struggling with this. I understand now how the bridge and peth0, etc are working, but I still can''t find a good iptables configuration example. I''m accessing remotely so I''m desperate not to lock everything out of the machine otherwise I''m in trouble. Can someone send me an example of their IPtables configuration file for dom0 so I can see how they have set it? Lyle ------------------------------------------------------------ Lyle Hopkins - CosmicPerl.com CGI Scripts - Internet software solutions for the professional webmaster Email: webmaster@cosmicperl.com Web site: http://www.cosmicperl.com Specializing in Affiliate Software solutions ------------------------------------------------------------ ----- Original Message ----- From: "David Koski" <david@kosmosisland.com> To: <xen-users@lists.xensource.com> Sent: Monday, February 20, 2006 4:21 PM Subject: Re: [Xen-users] IPtables working on domU but not dom0> Have a look at this: > > http://www.shorewall.net/Xen.html > > Even if you don''t use shorewall it might be helpful. > > Regards, > David Koski > david.nospham@kosmosisland.com > > On Monday 20 February 2006 08:17 am, Xen wrote: > > Hi, > > Can anyone shed light on this? Is there other firewall software Icould try that wouldn''t conflict?> > > > Lyle > > > > ------------------------------------------------------------ > > Lyle Hopkins - CosmicPerl.com CGI Scripts - > > Internet software solutions for the professional webmaster > > Email: webmaster@cosmicperl.com > > Web site: http://www.cosmicperl.com > > Specializing in Affiliate Software solutions > > ------------------------------------------------------------ > > ----- Original Message ----- > > From: Xen > > To: xen-users@lists.xensource.com > > Sent: Saturday, February 18, 2006 2:04 AM > > Subject: Re: [Xen-users] IPtables working on domU but not dom0 > > > > > > By the way on Fedora Core 4, dual opteron, 4GB ram. > > > > > > Lyle > > > > ------------------------------------------------------------ > > Lyle Hopkins - CosmicPerl.com CGI Scripts - > > Internet software solutions for the professional webmaster > > Email: webmaster@cosmicperl.com > > Web site: http://www.cosmicperl.com > > Specializing in Affiliate Software solutions > > ------------------------------------------------------------ > > ----- Original Message ----- > > From: Xen > > To: xen-users@lists.xensource.com > > Sent: Saturday, February 18, 2006 12:13 AM > > Subject: [Xen-users] IPtables working on domU but not dom0 > > > > > > Hi All, > > for some reason iptables wont load on dom0 although they areloading fine on all the guest domains. I built the xen 3 kernel on the machine. I checked that iptables were included. I can''t figure out why it wont load. I''m not getting any useful errors:-> > "Applying iptables firewall rules: iptables-restore: line 27failed" - line 22 is COMMIT. The iptables file is identical to the domU one that works.> > > > Any help would be much appreciated. I don''t like the idea of dom0being wide open.> > > > > > Lyle > > > > ------------------------------------------------------------ > > Lyle Hopkins - CosmicPerl.com CGI Scripts - > > Internet software solutions for the professional webmaster > > Email: webmaster@cosmicperl.com > > Web site: http://www.cosmicperl.com > > Specializing in Affiliate Software solutions > > ------------------------------------------------------------ > > > > > > ----------------------------------------------------------------------------> > > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > > > > > > ------------------------------------------------------------------------------> > > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hello Lyle, Xen schrieb:> Can someone send me an example of their IPtables configuration file for > dom0 so I can see how they have set it? >on my system dom0 acts as a gateway vor the domu that are in a /28. I''m no expert on this. But as far as I can tell, it works. I changed the real IP addresse to fantasy addresses: /sbin/iptables -P FORWARD DROP /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -t filter -F /sbin/iptables -t filter -X /sbin/iptables -t nat -F /sbin/iptables -t nat -X /sbin/modprobe ip_conntrack_ftp echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/iptables -N clean /sbin/iptables -A clean -p udp --dport 135:139 -j DROP /sbin/iptables -A clean -j LOG --log-prefix "Rejected " -m limit --limit 1/sec /sbin/iptables -A clean -p tcp -j REJECT --reject-with tcp-reset /sbin/iptables -A clean -p udp -j REJECT --reject-with icmp-port-unreachable /sbin/iptables -A clean -j DROP /sbin/iptables -A INPUT -j DROP -m state --state INVALID /sbin/iptables -A INPUT -j ACCEPT -i lo /sbin/iptables -A INPUT -j DROP -s 10.0.0.0/8 /sbin/iptables -A INPUT -j DROP -s 172.16.0.0/12 /sbin/iptables -A INPUT -j DROP -s 192.168.0.0/16 /sbin/iptables -A FORWARD -j DROP -m state --state INVALID /sbin/iptables -A FORWARD -j DROP -s 10.0.0.0/8 /sbin/iptables -A FORWARD -j DROP -s 172.16.0.0/12 /sbin/iptables -A FORWARD -j DROP -s 192.168.0.0/16 /sbin/iptables -A FORWARD -j ACCEPT -s 79.32.11.160/28 /sbin/iptables -N in_main /sbin/iptables -A in_main -j ACCEPT -m state --state ESTABLISHED,RELATED /sbin/iptables -A in_main -j ACCEPT -p icmp ! --icmp-type redir /sbin/iptables -N fwd_main /sbin/iptables -A fwd_main -j ACCEPT -m state --state ESTABLISHED,RELATED /sbin/iptables -A fwd_main -j ACCEPT -p icmp ! --icmp-type redir /sbin/iptables -A in_main -i eth0 -m multiport -s 21.34.1.62 -d 213.95.21.8 -p tcp --dport 22 -j ACCEPT /sbin/iptables -A in_main -i eth0 -m multiport -s 21.34.28.2 -d 213.95.21.8 -p tcp --dport 22 -j ACCEPT /sbin/iptables -A in_main -i eth0 -m multiport -s 79.32.11.160/28 -d 79.32.11.161 -p tcp --dport 111 -j ACCEPT /sbin/iptables -A in_main -j clean /sbin/iptables -A INPUT -j in_main /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.163 -p tcp --dport http,ftp -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.164 -p tcp --dport 8080,8090 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.165 -p tcp --dport http,https -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.162 -p tcp --dport smtp,imap2,imaps -j ACCEPT/sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.160/28 -p tcp --dport 22 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.166 -p tcp --dport 52456 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.166 -p tcp --dport 4661,4662 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.166 -p udp --dport 4665 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -s 21.34.1.62 -d 79.32.11.166 -p tcp --dport 4080,4001 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -s 21.34.28.2 -d 79.32.11.166 -p tcp --dport 4080,4001 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -s 79.32.11.160/28 -j ACCEPT /sbin/iptables -A fwd_main -j clean /sbin/iptables -A FORWARD -j fwd_main Greetings Roman _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users