similar to: Xen bridge + iptables FORWARD

Hello, What is the best policy for the FORWARD chain in dom0 iptables? Can I use a default DROP policy? I notice when domains are created it adds the extra rules to the FORWARD chain, to allow traffic to the guests. However, if iptables is restarted, all these rules are lost. Do I need a rule per VPS, or can I use a single catch all to handle all of them?

Hi, I have taken the long and winding road and indeed it lead me to your door. I need your help, please. My Xen includes 2 guests. Xen itself (10.2.0.52) gets free access to the outside world and to its guests. Both guests however (10.2.0.54/10.2.0.55) see each other but stay under house arrest! Not a single ping manages to go past the bridge (xenbr0) and get an answer from the default gateway

Hello everybody, I have an odd problem with iptables using a Xen bridge setup. I don''t know if it would be better to post to netfilter Mailing-List. But I hope someone here know how to solve it. If it''s OT here, please let me know. I''ll try to do a little bit ASCII-Graphics to explain the topo better: _________ ________

Hey, I was originally asking questions on xen-users but no one seems to have any idea about this so I figured I''d try this list. I compiled Xen from source (3.2 testing) on an Intel machine running Fedora Core 8 and have discovered that my guest (Windows Vista) does not have a network connection. Looking at various online documentation and a machine that does work, I guessed that I

This patch adds an ACM hook into the network scripts (/etc/xen/scripts). It adds iptables rules that enforce mandatory access control on network packets exchanged between virtual interfaces. If ACM is active, this patch sets the default FORWARD policy in Dom0 to DROP and adds iptables ACCEPT rules between vifs that belong to domains that are permitted to share (determined by using the

(if this post gets line-feed-mangled please read http://www.dl.reneschmidt.de/shorewallxenpost.txt - that''s an unmangled version, thank you) Hello, first I would like to thank the Mr. Eastep and contributors for this great piece of software and superb documentation. I have a SOHO server (Debian testing) that I''m using for several purposes so I''ve set up a Xen

When starting xend i see the following errors on the console. I''m running CentOS 5 as the operating system with kernel 2.6.32.18 from 4.0.1''s `make prep-kernels` Below is a log, the things i''m concerned with is the XENBUS errors and the deprecated iptables stuff. Any ideas whats going on here? ---------------------------------------------------- Bridge

Hello with XEN 3.4.x antispoof=yes works on a bridge setup. I am using this line in xend-config.sxp (network-script ''network-bridge antispoof=yes'') It creates this under IPTABLES FORWARD chain: ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in peth0 Under XEN 4.0.1 it is not working, it does not create a IPTABLES rule. Customers can

Hi, Following the directions for setting up bridged networking in the red hat virtualization guide and libvirt wiki, I set the following kernel parameters to 0 on a RHEL 5.5 server. net.bridge.bridge-nf-call-ip6tables net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-arptables Unfortunately, doing this broke the port forwarding I'd set up for VMs on my NAT networks, e.g.

Hi Everyone, In order to prevent DomU from entering promiscuous mode, is it just a matter of adding these 2 rules when the vif is created? # Accept packets leaving the bridge going to the domU only if # the destination IP for that packet matches an authorized IPv4 # address for that domU. iptables -A FORWARD -m physdev --physdev-out vif1.0 \ --destination 216.146.46.43 -j ACCEPT

Package: xen-utils-common Version: 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 Severity: important Tags: patch security -- System Information: Debian Release: 9.4 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),

Good day all, Can anyone give me some insight on the most practical way of adding a second interface to a dom0 so that certain domu''s have visibility into another network? I basically have one domu that needs to pass internet data through eth1 - i''ve been reading the following http://wiki.xensource.com/xenwiki/XenNetworking#head-602e26cd4a03b992f3938fe1bea03fa0fea0ed8b and

Hi this is my bridge structure ========================================= brctl show bridge name bridge id STP enabled interfaces *br0* 8000.0023aea32e26 no *eth0* *tapxp* ========================================= I tunneled a tapxp for my xp virtual machine. host is centos 6 using eth0

CentOS 5.5 Xen "standard" Xen Installation. I have two nics. I just put the second one to DHCP and modified the ifcfg-et01 and so far I am holding, but I am not confident. Prior they were sequential IP Addrs on same subnet. arpwatch has indicated flip flips. I can find no rhyme or reason to predict them. I know I missed I must have missed a step somewhere. I want to keep the

Hi, If one sets xend to use network-bridge and there are no bridges already present then it seems that xend will clone eth0 to peth0, create xenbr0 and add peth0 and vif0.0 as ports on that bridge. If on the other hand xenbr0 is created in /etc/network/interfaces then xend will not do any of that peth0 stuff, nor will it add vif0.0 to xenbr0, yet (barring some changes in iptables rules) things

I''ve seen a lot of threads w/ similar problems, but none have posted a resolution. I am using Debian 4.0r1 (Etch). I was using the xen packages from stable, but have tried w/ testing as well and the problem persists. http://pastie.caboo.se/95144 Host is 10.0.0.20 on network 10.0.0.0/24. Dom0 is thus 10.0.0.20 DomU is 10.0.0.30 When the bridge is enabled, DomU can ping everything.

Hi, I ''ve got a CentOS 5.2 server running xen 3.0 with 2 DomUs also running CentOS 5.2. All my boxes are up-to date. I''m experiencing trouble with networking. Dom0 can reach the outside world when no DomU are started. It can also reach the outside world when only one DomU is running. The troubles begin when I start the second DomU. At first, this new DomU, called DomU2,

Package: xen-utils-common Version: 3.4.2-2 Severity: important The network setup uses not longer supported iptables operations: | physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, "Day of the Dove", stardate

Hi, in the official XenNetworking ( http://wiki.xensource.com/xenwiki/XenNetworking ) i didn''t find reported how the NAT configuration works with xen. Does anybody know how the vifX.Y (10.X.X.128), gateway of any domU ethX (10.X.X.1) talk with the real ethX of the dom0? Thanks Enrico _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com

hi, on Friday i did a upgrade vom 3.0.2 to 3.0.3. I get in trouble with my IPTables rule-set, generated with the fbuilder (2.0.9) tool. I use as inside device xenbr0 (private-ip) and ppp0 as outside. After upgrading the scripts from the install, everything blocked, after starting the firewall. I saw, that xenbr0 does not have any ip, but eth0, so i changed the inside device from xenbr0 to eth0.