Hi, I have been trying to filter out domU packets from dom0 using iptables. I tried the following: iptables -I FORWARD -m physdev --physdev-in peth0 --physdev-out vif1.0 -j domU iptables -A domU -j DROP I expect that this should drop all the packets meant for domU, but this does not happen in my case. The domU is able to receive and send packets as before. kindly help. -- Thanks and Regards, Abhishek Bichhawat Visiting Scholar Dept. of Computing Macquarie University, Sydney, Australia. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Le 10/06/2011 08:32, Abhishek Bichhawat a écrit :> Hi, > > I have been trying to filter out domU packets from dom0 using iptables. > I tried the following: > > iptables -I FORWARD -m physdev --physdev-in peth0 --physdev-out vif1.0 > -j domU > iptables -A domU -j DROP >This rules matches flawlessly here (debian 2.6.32-5-xen-amd64). Are you sure you specify the correct ifnames in your iptables rules?> I expect that this should drop all the packets meant for domU, but > this does not happen in my case. The domU is able to receive and send > packets as before. > > kindly help. > > -- > Thanks and Regards, > Abhishek Bichhawat > Visiting Scholar > Dept. of Computing > Macquarie University, > Sydney, Australia. > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Have you looked at the entire list of rules (iptables -L)? I ask because -A domU means add a rule to the domU chain, which wouldn''t change anything if there was already a rule to allow all traffic in said chain (it does seem safe to assume there was previously no domU chain, but these things still should be verified). Another possibility is that iptables may not have the appropriate module / compilation for --physdev-(in/out); if I remember correctly, I had that problem in a really old CentOS or Fedora build once. Finally, if your domU has been rebooted and isn''t dom1, then it doesn''t use vif1.0 anymore, as the vif number isn''t a constant; I use --physdev-is-bridged to match all domU traffic, but that won''t work right in this case if you have another domU that you do want to receive traffic. Dustin From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Abhishek Bichhawat Sent: Friday, June 10, 2011 02:32 To: xen-users@lists.xensource.com Subject: [Xen-users] Iptables and Xen Hi, I have been trying to filter out domU packets from dom0 using iptables. I tried the following: iptables -I FORWARD -m physdev --physdev-in peth0 --physdev-out vif1.0 -j domU iptables -A domU -j DROP I expect that this should drop all the packets meant for domU, but this does not happen in my case. The domU is able to receive and send packets as before. kindly help. -- Thanks and Regards, Abhishek Bichhawat Visiting Scholar Dept. of Computing Macquarie University, Sydney, Australia. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, Jun 10, 2011 at 12:02 PM, Abhishek Bichhawat <abhishek.bichhawat@mq.edu.au> wrote:> Hi, > > I have been trying to filter out domU packets from dom0 using iptables. > I tried the following: > > iptables -I FORWARD -m physdev --physdev-in peth0 --physdev-out vif1.0 -j > domU > iptables -A domU -j DROP > > I expect that this should drop all the packets meant for domU,Assuming that you did not do a syntax error and did as you wanted to iptables -A domU -j DROP seems odd to me iptables -A --destination domU -j DROP is making a bit sense. See if you meant this only. Paste the output of iptables -L -v -n on pastebin etc... ----------- Tapas _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users