similar to: dom0 iptables FORWARD default DROP?

Hi all, I have Xen 3.2 newly installed on Lenny with network bridging configured. When I built my first VM, I found it couldn''t connect to the Internet. This turned out to be because my dom0''s iptables was configured to DROP all packets on the FORWARD chain (when I removed that, it started working). The "Xen Networking" page on the wiki describes this exact situation

Hi, in the official XenNetworking ( http://wiki.xensource.com/xenwiki/XenNetworking ) i didn''t find reported how the NAT configuration works with xen. Does anybody know how the vifX.Y (10.X.X.128), gateway of any domU ethX (10.X.X.1) talk with the real ethX of the dom0? Thanks Enrico _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com

Hi, I have taken the long and winding road and indeed it lead me to your door. I need your help, please. My Xen includes 2 guests. Xen itself (10.2.0.52) gets free access to the outside world and to its guests. Both guests however (10.2.0.54/10.2.0.55) see each other but stay under house arrest! Not a single ping manages to go past the bridge (xenbr0) and get an answer from the default gateway

Situation: Running a simple UDP client/server program where the client on one domU on one computer sends echo packets to another domU on another computer, server sends echoes back. They do this on a specified port (will use any port between 5000-6000). This program works on non-Xen machines in various environments, Linux and Solaris. Program just hangs on the domUs. I believe I need help with

Hello all, I''ve been trying to setup some iptables on dom0 and the standard xen bridge-network. If I set the default policy on FORWARD to DROP iptables -P FORWARD DROP all traffic stops working. Can someone please explain this too me? Thanks. Chris. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com

Does this work? adding DROP to iptables on the virtual host's iptables, before the phys bridge....will it prevent those ips from getting to the bridged part of iptables? Or would a different syntax be used? -A INPUT -s 66.77.65.128/26 -j DROP -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with

Hi all, A client just phoned me and said he could not SSH into his VPS, yet he can ping it. So, I login to the host node, and check it out, can''t SSH into. I shutdown iptables on the VPS (via xm console serverza.vm) but still can''t SSH into it. I restart the VPS, still can''t SSH into it. So, I check the host, and found this in /var/log/messages: Jul 22 19:19:07

Hi Everyone, In order to prevent DomU from entering promiscuous mode, is it just a matter of adding these 2 rules when the vif is created? # Accept packets leaving the bridge going to the domU only if # the destination IP for that packet matches an authorized IPv4 # address for that domU. iptables -A FORWARD -m physdev --physdev-out vif1.0 \ --destination 216.146.46.43 -j ACCEPT

I recently encountered this in the logs of a new Debian Xen Dom0, and having now spent the better part of a day researching and testing, I've come to the conclusion that this is not a bug in xen-utils-common or even iptables; it's merely the consequence of structural changes to the core netfilter code starting in the 2.6.20 kernel. This is rather long, but the issue is complicated. Please

Hi, I have a box with XEN enabled. Specs : Gentoo 10.0 AMD64 XEN 4.0.0 The server is connected on our network through two physicals NIC. Actually, I''m using a VLAN on each NIC and bridge the domU in it. But now I must create an additional domU which should be in an different VLAN. The best solution is to set a trunk on the switch and use 802.1q directly on the dom0. I found this site

Hello, More information and a patch for the bug. -- Pasi ----- Forwarded message from George Dunlap <George.Dunlap at eu.citrix.com> ----- From: George Dunlap <George.Dunlap at eu.citrix.com> To: Jan Beulich <JBeulich at novell.com> Cc: Sander Eikelenboom <linux at eikelenboom.it>, Jeremy Fitzhardinge <jeremy at goop.org>, Yunhong Jiang <yunhong.jiang at

Ok, I am setting up a new dom0 at a colo provider and usually the colo facility acts as my gateway, but at this new one, the provider is recommending that I use the server as its own gateway. That unfortunately doesnt work to well when it comes to iptables and my domU''s. IPtables do not support virtual interfaces, so I can''t just white list them unfortunately. I have tried many

Hi, Following the directions for setting up bridged networking in the red hat virtualization guide and libvirt wiki, I set the following kernel parameters to 0 on a RHEL 5.5 server. net.bridge.bridge-nf-call-ip6tables net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-arptables Unfortunately, doing this broke the port forwarding I'd set up for VMs on my NAT networks, e.g.

Package: xen-utils-common Version: 3.4.2-3 --- Please enter the report below this line. --- After several tests and many hours of investigation I found out that this is not a bug. The iptables rules that triggers the message is found in /etc/xen/scripts/vif-common.sh [1], but as the syslog message clearly indicates this rule works perfectly when the traffic is bridged. Moreover, those rules are

Hi, I''ve been making leaps and strides with Xen on FC4. It has been easy to get installed and to start our first virtual host. I''ve got one outstanding issue with iptables that is preventing me progressing further. This is a colo''d server. It has s single NIC with public IPs. The bridge is set to come up binding vif* <> xen-br0 <> eth1. I can start a

Hey, I was originally asking questions on xen-users but no one seems to have any idea about this so I figured I''d try this list. I compiled Xen from source (3.2 testing) on an Intel machine running Fedora Core 8 and have discovered that my guest (Windows Vista) does not have a network connection. Looking at various online documentation and a machine that does work, I guessed that I

Hi, we are trying to secure our Xen boxes with IPtables on Dom0 but we always seem to get cut off and can only cure it be rebooting the box. Has anyone got a sucessful config they can share that secures the server with one nic? We are using Xen 3.0.4 thanks Ian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com

Currently using physdev on a bridge to try and isolate certain paths across and to the bridge. It all works except when trying to stop the flow in one direction on the FORWARD chain?? Can someone please help?? Below is the testing done so far. eth1 <---> BRIDGE <---> eth0 # Block (eth0 ---> eth1) - blocks both directions and not just one?? iptables -A FORWARD -m physdev

Package: xen-utils-common Version: 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 Severity: important Tags: patch security -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),

Hi, I''ve been making leaps and strides with Xen on FC4. It has been easy to get installed and to start our first virtual host. I''ve got one outstanding issue with iptables that is preventing me progressing further. This is a colo''d server. It has s single NIC with public IPs. The bridge is set to come up binding vif* <> xen-br0 <> eth1. I can start a