similar to: iptables -P FORWARD DROP on dom0 stops all traffic

Hello, What is the best policy for the FORWARD chain in dom0 iptables? Can I use a default DROP policy? I notice when domains are created it adds the extra rules to the FORWARD chain, to allow traffic to the guests. However, if iptables is restarted, all these rules are lost. Do I need a rule per VPS, or can I use a single catch all to handle all of them?

Hello. I''ve just started using Xen. My configuration is plain simple: I''ve got a Centos 5 Host with Xen and a single virtual machine which also uses Centos 5. Both of them have real IPs of the same real network. Now, I have to delegate the server administration to an external company which I don''t trust, so I''d want to filter any connection started by the

Hi, I''ve installed xen 3.0.3 from packages (xen-linux-system) on a debian etch, and i''ve configured it with network-bridge script in the default way (netdev=eth0, bridge=xenbr0, etc...) which is ok for me. the problem I have: I cannot ping any outer machine from dom0 (nor any outer machine can ping me). It gives me a "Destination Host Unreachable" message that

Hello, i noticed that the ingress qdisc is not working properly anymore in 3.0.4-1 (back in 3.0.2 the ingress qdisc was working for me): Install the ingress qdisc to peth0: # tc add qdisc dev peth0 ingress ... generate some traffic ... # tc -s qdisc show dev peth0 qdisc pfifo_fast 0: bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 Sent 324884 bytes 1749 pkt (dropped 0, overlimits 0 requeues

Hi all, I have Xen 3.2 newly installed on Lenny with network bridging configured. When I built my first VM, I found it couldn''t connect to the Internet. This turned out to be because my dom0''s iptables was configured to DROP all packets on the FORWARD chain (when I removed that, it started working). The "Xen Networking" page on the wiki describes this exact situation

I installed Debian sarge amd64 on a Intel em64t processor machines and have been using the Xen 3.0 packages in backports.org. I can boot a 32 bit guest OS fine if I use the vmlinuz-2.6.16-1-xen-em64t-p4kernel, but when trying to use the stock vmlinuz-2.6.16-xen from their binary tarball, or building it from the source package I get the following error: xentest:/var/log# xm create debian0.cfg -c

Does this work? adding DROP to iptables on the virtual host's iptables, before the phys bridge....will it prevent those ips from getting to the bridged part of iptables? Or would a different syntax be used? -A INPUT -s 66.77.65.128/26 -j DROP -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with

Ok, I am setting up a new dom0 at a colo provider and usually the colo facility acts as my gateway, but at this new one, the provider is recommending that I use the server as its own gateway. That unfortunately doesnt work to well when it comes to iptables and my domU''s. IPtables do not support virtual interfaces, so I can''t just white list them unfortunately. I have tried many

Hi, we are trying to secure our Xen boxes with IPtables on Dom0 but we always seem to get cut off and can only cure it be rebooting the box. Has anyone got a sucessful config they can share that secures the server with one nic? We are using Xen 3.0.4 thanks Ian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com

Situation: Running a simple UDP client/server program where the client on one domU on one computer sends echo packets to another domU on another computer, server sends echoes back. They do this on a specified port (will use any port between 5000-6000). This program works on non-Xen machines in various environments, Linux and Solaris. Program just hangs on the domUs. I believe I need help with

Hi all, Using xentop you can see dom0 uses 98% of the CPU''s with o without any domU''s running. Using top on dom0 shows cpu nearly 100% idle The pc has an intel dual core processor running xen3.0.2 Booting a domU and domU performance is bad. Any ideas please? Chris. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com

I have a dom0 with Debian Etch, created with Xen-tools, that I want to use as a OpenVPN-server. I cannot start the openvpn-deamon, it cannot open the TUN/TAP dev /dev/net/tun The dom0 does not have a directory /dev/net and if I create it, it is away after the next reboot. Can I get a staying /dev/net/tun in the dom0 ? -- Morten Christensen _______________________________________________

Package: xen-utils-common Version: 3.4.2-2 Severity: important The network setup uses not longer supported iptables operations: | physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, "Day of the Dove", stardate

Processing commands for control at bugs.debian.org: > retitle 679533 Traffic forwarding issue between Xen domU/dom0 Bug #679533 [xen-hypervisor-4.0-amd64] Traffic forwarding issue between Xen domU/dom0 and ovs Changed Bug title to 'Traffic forwarding issue between Xen domU/dom0' from 'Traffic forwarding issue between Xen domU/dom0 and ovs' > thanks Stopping processing here.

Hi, I am using xen 3.1.3 on a Celeron, a netbsd 4.0 dom0, and netbsd 4.0 and slackware 11 (with 2.6.18.8-xen kernel) domU''s, and a bridge to communicate between those. I noticed traffic between (both ways) netbsd dom0/domU is rather slow (4Mb/s max), and traffic from the linux domU to dom0 is about 18Mb/s, while traffic from dom0 to the linux domU is rather slow again (4Mb/s max). Any

retitle Traffic forwarding issue between Xen domU/dom0 thanks This week again this bug occurred again so we are trying to create some kind of reproduce algorithm. First we've created two virtual machines named koekiemonster.bofh.hq.mendix.net and netappsim.bofh.hq.mendix.net. We've added 29 vifs to koekiemonster.bofh.hq.mendix.net. During this tests we've always had a ping

Obviously i meant hyperthreading. Probably need more coffee:) -- Frank Baalbergen - System / Network Administrator T +31 (0)10 2760434 | frank.baalbergen at mendix.com | www.mendix.com

Package: xen-utils-common Version: 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 Severity: important Tags: patch security -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),

Need help. Im trying to forward all traffic to a public server(A) to another public server(B) except traffic to port 22. Found this on google but cant get it to work. Could someone help me please. Server A has one NIC server B has one NIC. Do i need 2 NICS in server A. #!/bin/sh iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -X iptables -F -t nat iptables -P

https://bugzilla.netfilter.org/show_bug.cgi?id=1129 Bug ID: 1129 Summary: iptables outgoing SNAT works for a while then stops working completely for a while Product: netfilter/iptables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: enhancement