Hi,
I''ve been making leaps and strides with Xen on FC4. It has been easy to
get
installed and to start our first virtual host.
I''ve got one outstanding issue with iptables that is preventing me
progressing further.
This is a colo''d server. It has s single NIC with public IPs.
The bridge is set to come up binding vif* <> xen-br0 <> eth1.
I can start a virtual host and I am able to ping & SSH to the virtual host.
I am not able to resolve DNS query from my virtual host though - tcpdump
shows Admin Prohibited
e.g.: 14:45:01.527142 IP dellserver.comwifinet.lan > vm-colo1.comwifinet.lan:
icmp 80: host 217.160.133.239 unreachable - admin prohibited
If I drop IP tables then all name resolution works from the virtual
machines.
I have not had any success with adding the iptables rules as shown in the
wiki
# iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
8216 809K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in eth1 ! --physdev-out eth1
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match ! --physdev-in eth1 --physdev-out eth1
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1844 216K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1256 packets, 373K bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source
destination
42 3108 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
19 1540 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:631
3296 287K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
2 116 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
9 740 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
7 336 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:25
4 228 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
6681 732K REJECT all -- * * 0.0.0.0/0
0.0.0.0/0
reject-with icmp-host-prohibited
Running 2.6.12-1.1398_FC4xen0
I have read https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161792 - is
this the cause of my problems? do I need to run a newer kernel to resolve
this issue?
Thanks for any advice - please prompt me to supply further info (e.g. credit
card number, inside leg measurement, etc......)
/rob
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Michael Best
2005-Nov-30 04:38 UTC
Re: [Xen-users] so close! just an iptables rule away.....?
> Hi, > # iptables -L -v -n > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source destination > 8216 809K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in eth1 ! --physdev-out eth1 > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match ! --physdev-in eth1 --physdev-out eth1The big problem is in the FORWARD chain, the first rule in this chain says jump to the chain RH-Firewall-1-INPUT and then the subsequent rules are ignored. So for instance in my example system my domU is on bridged interface vif3.0 in order add the ACCEPT iptables line *before* the jump to RH-Firewall I had to drop that rule and then insert it back in. iptables -D FORWARD -j RH-Firewall-1-INPUT iptables -A FORWARD -m physdev --physdev-in vif3.0 -j ACCEPT iptables -A FORWARD -j RH-Firewall-1-INPUT Same basic approach for you, just make sure your rules come before the jump or drop that rule and then add it back in after the rule changes are done. I modified my /etc/xen/scripts/vif-common.sh to do this for me. The patch appeared in my last post. -Mike _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Thanks Michael. I''ll give them your modification a go and report back. /rob On 30 Nov 2005, at 04:38, Michael Best wrote:>> Hi, >> # iptables -L -v -n >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) >> pkts bytes target prot opt in out source >> destination >> 8216 809K RH-Firewall-1-INPUT all -- * * >> 0.0.0.0/0 0.0.0.0/0 >> 0 0 ACCEPT all -- * * >> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev- >> in eth1 ! --physdev-out eth1 >> 0 0 ACCEPT all -- * * >> 0.0.0.0/0 0.0.0.0/0 PHYSDEV match ! --physdev- >> in eth1 --physdev-out eth1 > > The big problem is in the FORWARD chain, the first rule in this > chain says jump to the chain RH-Firewall-1-INPUT and then the > subsequent rules are ignored. > > So for instance in my example system my domU is on bridged > interface vif3.0 in order add the ACCEPT iptables line *before* the > jump to RH-Firewall I had to drop that rule and then insert it back > in. > > iptables -D FORWARD -j RH-Firewall-1-INPUT > iptables -A FORWARD -m physdev --physdev-in vif3.0 -j ACCEPT > iptables -A FORWARD -j RH-Firewall-1-INPUT > > Same basic approach for you, just make sure your rules come before > the jump or drop that rule and then add it back in after the rule > changes are done. > > I modified my /etc/xen/scripts/vif-common.sh to do this for me. > The patch appeared in my last post. > > -Mike > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users