Xen users - Apr 2007 - XEN 3.0.4-1 / Iptables is not working properly

Hello,

I''ve installed XEN3.0.4-1 and problems with the IPtables settings.
Please see below the firewall settings for Domain0:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             mbs-rootsrv         tcp dpt:ssh
ACCEPT     0    --  anywhere             anywhere            ctstate 
RELATED,ESTABLISHED
LOG        0    --  anywhere             anywhere            LOG level 
warning
DROP       0    --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


But then for example connection which are related to a server request 
(DNS requests / port53, etc) will be blocked by the firewall.
Here is an example of an request:
Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
SPT=53 DPT=32803 LEN=53
Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=26.104.239.90 
DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00 TTL=55 ID=44193 PROTO=UDP 
SPT=31178 DPT=1026 LEN=373
Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
SPT=53 DPT=32804 LEN=53
Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.100.100 
DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
SPT=53 DPT=32805 LEN=53
Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
SPT=53 DPT=32803 LEN=53
Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
SPT=53 DPT=32804 LEN=53


When I flush the Iptables or I will put in each request then everthing 
is working fine. But you never now which server will answer to a 
request, so it is
impossible to configure all ip-addresses. This should be done due to the 
line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
which is unfortunately not working.

What is the problem and the solution ?
Many Thanks.

Kind Regards,
Maik Brauer



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hello Maik.

I don''t really have an explanation for you, but for me to make iptables
work I had to run ''ethtool -K eth0 tx off'' inside the vm and
dom0 on the
device. That made iptables work for me.

Maybe it also helps you.

greetinx
Christo

On Thu, 2007-04-19 at 09:18 +0200, Maik Brauer wrote:
> Hello,
> 
> I''ve installed XEN3.0.4-1 and problems with the IPtables settings.
> Please see below the firewall settings for Domain0:
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     0    --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             mbs-rootsrv         tcp dpt:ssh
> ACCEPT     0    --  anywhere             anywhere            ctstate 
> RELATED,ESTABLISHED
> LOG        0    --  anywhere             anywhere            LOG level 
> warning
> DROP       0    --  anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> But then for example connection which are related to a server request 
> (DNS requests / port53, etc) will be blocked by the firewall.
> Here is an example of an request:
> Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32803 LEN=53
> Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=26.104.239.90 
> DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00 TTL=55 ID=44193 PROTO=UDP 
> SPT=31178 DPT=1026 LEN=373
> Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32804 LEN=53
> Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.100.100 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32805 LEN=53
> Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32803 LEN=53
> Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32804 LEN=53
> 
> 
> When I flush the Iptables or I will put in each request then everthing 
> is working fine. But you never now which server will answer to a 
> request, so it is
> impossible to configure all ip-addresses. This should be done due to the 
> line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> which is unfortunately not working.
> 
> What is the problem and the solution ?
> Many Thanks.
> 
> Kind Regards,
> Maik Brauer
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
> 

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hello,

this is not working in my case.
The Problem still exist.
If this is a real problem, some other people should have the same issue.

Are there any suggestions ??

Regards
Maik


Christo Buschek wrote:
> Hello Maik.
>
> I don''t really have an explanation for you, but for me to make
iptables
> work I had to run ''ethtool -K eth0 tx off'' inside the vm
and dom0 on the
> device. That made iptables work for me.
>
> Maybe it also helps you.
>
> greetinx
> Christo
>
> On Thu, 2007-04-19 at 09:18 +0200, Maik Brauer wrote:
>   
>> Hello,
>>
>> I''ve installed XEN3.0.4-1 and problems with the IPtables
settings.
>> Please see below the firewall settings for Domain0:
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     0    --  anywhere             anywhere
>> ACCEPT     tcp  --  anywhere             mbs-rootsrv         tcp
dpt:ssh
>> ACCEPT     0    --  anywhere             anywhere            ctstate 
>> RELATED,ESTABLISHED
>> LOG        0    --  anywhere             anywhere            LOG level 
>> warning
>> DROP       0    --  anywhere             anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>>
>> But then for example connection which are related to a server request 
>> (DNS requests / port53, etc) will be blocked by the firewall.
>> Here is an example of an request:
>> Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
PHYSOUT=vif0.0
>> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
>> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
>> SPT=53 DPT=32803 LEN=53
>> Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
PHYSOUT=vif0.0
>> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=26.104.239.90 
>> DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00 TTL=55 ID=44193 PROTO=UDP 
>> SPT=31178 DPT=1026 LEN=373
>> Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
PHYSOUT=vif0.0
>> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
>> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
>> SPT=53 DPT=32804 LEN=53
>> Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
PHYSOUT=vif0.0
>> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.100.100 
>> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
>> SPT=53 DPT=32805 LEN=53
>> Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
PHYSOUT=vif0.0
>> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
>> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
>> SPT=53 DPT=32803 LEN=53
>> Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
PHYSOUT=vif0.0
>> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
>> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
>> SPT=53 DPT=32804 LEN=53
>>
>>
>> When I flush the Iptables or I will put in each request then everthing 
>> is working fine. But you never now which server will answer to a 
>> request, so it is
>> impossible to configure all ip-addresses. This should be done due to
the
>> line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>> which is unfortunately not working.
>>
>> What is the problem and the solution ?
>> Many Thanks.
>>
>> Kind Regards,
>> Maik Brauer
>>
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>>
>>     
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>   

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I am having this issue also. It appears to be random though on our lightly
loaded development boxes. It is also always in bursts for one connection too. As
all the returning packets hit the log rule and then everything runs fine for
maybe half an hour.

I have observed the problem with xen versions 3.0.3 and 3.0.4.

Cheers,

Brad


On Thu, 19 Apr 2007 10:24:52 +0200
Maik Brauer <mailinglist@mbs-technet.com> wrote:
> Hello,
> 
> this is not working in my case.
> The Problem still exist.
> If this is a real problem, some other people should have the same
> issue.
> 
> Are there any suggestions ??
> 
> Regards
> Maik
> 
> 
> Christo Buschek wrote:
> > Hello Maik.
> >
> > I don''t really have an explanation for you, but for me to
make
> > iptables work I had to run ''ethtool -K eth0 tx off''
inside the vm
> > and dom0 on the device. That made iptables work for me.
> >
> > Maybe it also helps you.
> >
> > greetinx
> > Christo
> >
> > On Thu, 2007-04-19 at 09:18 +0200, Maik Brauer wrote:
> >   
> >> Hello,
> >>
> >> I''ve installed XEN3.0.4-1 and problems with the IPtables
settings.
> >> Please see below the firewall settings for Domain0:
> >> Chain INPUT (policy ACCEPT)
> >> target     prot opt source               destination
> >> ACCEPT     0    --  anywhere             anywhere
> >> ACCEPT     tcp  --  anywhere             mbs-rootsrv         tcp
> >> dpt:ssh ACCEPT     0    --  anywhere
> >> anywhere            ctstate RELATED,ESTABLISHED
> >> LOG        0    --  anywhere             anywhere            LOG
> >> level warning
> >> DROP       0    --  anywhere             anywhere
> >>
> >> Chain FORWARD (policy ACCEPT)
> >> target     prot opt source               destination
> >>
> >> Chain OUTPUT (policy ACCEPT)
> >> target     prot opt source               destination
> >>
> >>
> >> But then for example connection which are related to a server
> >> request (DNS requests / port53, etc) will be blocked by the
> >> firewall. Here is an example of an request:
> >> Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53
> >> Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=26.104.239.90 DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00
> >> TTL=55 ID=44193 PROTO=UDP SPT=31178 DPT=1026 LEN=373
> >> Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53
> >> Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.100.100 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32805 LEN=53
> >> Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53
> >> Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53
> >>
> >>
> >> When I flush the Iptables or I will put in each request then
> >> everthing is working fine. But you never now which server will
> >> answer to a request, so it is
> >> impossible to configure all ip-addresses. This should be done due
> >> to the line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED
> >> -j ACCEPT which is unfortunately not working.
> >>
> >> What is the problem and the solution ?
> >> Many Thanks.
> >>
> >> Kind Regards,
> >> Maik Brauer
> >>
> >>
> >>
> >> _______________________________________________
> >> Xen-users mailing list
> >> Xen-users@lists.xensource.com
> >> http://lists.xensource.com/xen-users
> >>
> >>     
> >
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
> >   
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I am having this issue also. It appears to be random though on our lightly
loaded development boxes. It is also always in bursts for one connection too. As
all the returning packets hit the log rule and then everything runs fine for
maybe half an hour.

I have observed the problem with xen versions 3.0.3 and 3.0.4.

Cheers,

Brad


On Thu, 19 Apr 2007 10:24:52 +0200
Maik Brauer <mailinglist@mbs-technet.com> wrote:
> Hello,
> 
> this is not working in my case.
> The Problem still exist.
> If this is a real problem, some other people should have the same
> issue.
> 
> Are there any suggestions ??
> 
> Regards
> Maik
> 
> 
> Christo Buschek wrote:
> > Hello Maik.
> >
> > I don''t really have an explanation for you, but for me to
make
> > iptables work I had to run ''ethtool -K eth0 tx off''
inside the vm
> > and dom0 on the device. That made iptables work for me.
> >
> > Maybe it also helps you.
> >
> > greetinx
> > Christo
> >
> > On Thu, 2007-04-19 at 09:18 +0200, Maik Brauer wrote:
> >   
> >> Hello,
> >>
> >> I''ve installed XEN3.0.4-1 and problems with the IPtables
settings.
> >> Please see below the firewall settings for Domain0:
> >> Chain INPUT (policy ACCEPT)
> >> target     prot opt source               destination
> >> ACCEPT     0    --  anywhere             anywhere
> >> ACCEPT     tcp  --  anywhere             mbs-rootsrv         tcp
> >> dpt:ssh ACCEPT     0    --  anywhere
> >> anywhere            ctstate RELATED,ESTABLISHED
> >> LOG        0    --  anywhere             anywhere            LOG
> >> level warning
> >> DROP       0    --  anywhere             anywhere
> >>
> >> Chain FORWARD (policy ACCEPT)
> >> target     prot opt source               destination
> >>
> >> Chain OUTPUT (policy ACCEPT)
> >> target     prot opt source               destination
> >>
> >>
> >> But then for example connection which are related to a server
> >> request (DNS requests / port53, etc) will be blocked by the
> >> firewall. Here is an example of an request:
> >> Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53
> >> Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=26.104.239.90 DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00
> >> TTL=55 ID=44193 PROTO=UDP SPT=31178 DPT=1026 LEN=373
> >> Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53
> >> Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.100.100 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32805 LEN=53
> >> Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53
> >> Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53
> >>
> >>
> >> When I flush the Iptables or I will put in each request then
> >> everthing is working fine. But you never now which server will
> >> answer to a request, so it is
> >> impossible to configure all ip-addresses. This should be done due
> >> to the line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED
> >> -j ACCEPT which is unfortunately not working.
> >>
> >> What is the problem and the solution ?
> >> Many Thanks.
> >>
> >> Kind Regards,
> >> Maik Brauer
> >>
> >>
> >>
> >> _______________________________________________
> >> Xen-users mailing list
> >> Xen-users@lists.xensource.com
> >> http://lists.xensource.com/xen-users
> >>
> >>     
> >
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
> >   
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Thu, 19 Apr 2007, Maik Brauer wrote:
> Hello,
>
> I''ve installed XEN3.0.4-1 and problems with the IPtables settings.
[snip]

Here is my reply from another (dead) thread with a similar problem:

---------- Forwarded message ----------
Date: Mon, 2 Apr 2007 01:40:10 +0200 (CEST)
From: Tomas Lund <tlund@nxs.se>
To: xen-users@lists.xensource.com
Subject: Re: [Xen-users] iptables in dom0 with bridge: no more outbound
connections

On Sat, 30 Dec 2006, Peter Fokkinga wrote:
> Quoting Jerry Amundson <jamundso@gmail.com>:
>>> Peter Fokkinga wrote:
>>>> [iptables drops outgoing traffic when xend is running]
>>>> I get the feeling iptables does not remember its state, so my
rule
>>>>   iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
>>>> has no effect. Kernel modules xt_state and ip_conntrack are
loaded.
>>
>> Depends on your distro. Redhat for example,
>> "service iptables save" (overwriting
/etc/sysconfig/iptables).
>
> I did not mean "remember" in the sense of "between
reboots", but more like
> that iptables does not register the outgoing packet. So when the first
> "response" packet comes back and enters the INPUT rule it is seen
as a NEW
> packet instead of ESTABLISHED or RELATED and therefore dropped.
I can confirm the problem Peter is describing.

When I try to connect to an external host, the "SYN_SENT" state does
not
show up in /proc/net/ip_conntrack and the SYN+ACK packet from the external 
host is dropped. (The "SYN_SENT" state is what allows the iptables 
"ESTABLISHED" match to occur.)

Before starting XEN (and the briding) it works with the same iptables 
rules. (See rules below)

I''m not sure this really has anything to do with XEN, but rather how
the
bridging works, but I "hope" that other people on this list has the
same
problem, and possibly someone has even found a solution?

Sample commands to reproduce the problem:

iptables -F
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
telnet [host] [port]

//tlund


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi -
> this is not working in my case.
> The Problem still exist.
> If this is a real problem, some other people should have the same issue.
> 
> Are there any suggestions ??
I had about the same problem since Xen 3.0.3 (reported here: 
http://lists.xensource.com/archives/html/xen-users/2006-12/msg00126.html).

You can try this on your dom0:

sysctl -w net.bridge.bridge-nf-call-iptables="0"

For me it was enough to get rid of this problem and I have it now 
permanently in the /etc/sysctl.conf file of my xen hosts.

HTH

Regards,
-- 
Olivier Le Cam
Département des Technologies de l''Information et de la Communication
CRDP de l''académie de Versailles

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi,

I''ve tried your command line. But unfortunately it has not changed the 
status.
So the problem still exist.

Regards
Maik

Olivier Le Cam schrieb:
> Hi -
>
>> this is not working in my case.
>> The Problem still exist.
>> If this is a real problem, some other people should have the same
issue.
>>
>> Are there any suggestions ??
>
> I had about the same problem since Xen 3.0.3 (reported here: 
> http://lists.xensource.com/archives/html/xen-users/2006-12/msg00126.html). 
>
>
> You can try this on your dom0:
>
> sysctl -w net.bridge.bridge-nf-call-iptables="0"
>
> For me it was enough to get rid of this problem and I have it now 
> permanently in the /etc/sysctl.conf file of my xen hosts.
>
> HTH
>
> Regards,

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Fri, 20 Apr 2007 18:24:10 +0200
Olivier Le Cam <Olivier.LeCam@crdp.ac-versailles.fr> wrote:
> I had about the same problem since Xen 3.0.3 (reported here: 
> http://lists.xensource.com/archives/html/xen-users/2006-12/msg00126.html).
> 
> You can try this on your dom0:
> 
> sysctl -w net.bridge.bridge-nf-call-iptables="0"
I have upgraded to xen-3.1, but this problem still exists (I''ve now
experienced this on versions 3.0.3, 3.0.4, 3.1.0). Unfortunately using sysctl as
shown above isn''t a solution as any firewall of domU''s
implemented in dom0 ceases to work. I looked at possibly using ebtables for this
instead, but it doesn''t appear to be able to do connection tracking.

What other solutions exist?

Cheers,

Brad


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users