Xen users - May 2006 - How to add iptables modules to Domu Kernel??

Hi, I''m running xen 2.0 in a Fedora Core 3 distro. My problem is that I
want
to configure a virtual machine so that works as a firewall/router. So, I 
need iptables working on this one. Unfortunately I must have some modules 
loaded such as ip_tables, iptables_nat, etc.
Where can I do this without making mad trying it?
Thank you  very much



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I am not sure whether iptables module is compiled into the Dom-U kernel
by default in xen binary packages.
The best option for you should be to complie xen kernel from source and
add iptables support statically to the kernel.

make menuconfig
Networking  ---> Networking options  --->  Network packet filtering
(replaces ipchains)  --->  Core Netfilter Configuration  --->  Netfilter
Xtables support (required for ip_tables) and do enable all modules
included in that as per your need.
Then go to - Networking  ---> Networking options  --->  Network packet
filtering (replaces ipchains)  ---> IP: Netfilter Configuration  ---> 
IP tables support (required for filtering/masq/NAT)

You can only go to the second step after doing the first one.


It''s best you add the iptables support statically into the kernel
rather than enabling it as a module. Why? If you compile it as a module you need
to copy the module to every Dom-U manually.

Thanks
Sadique

miguel c wrote:
> Hi, I''m running xen 2.0 in a Fedora Core 3 distro. My problem is
that
> I want to configure a virtual machine so that works as a
> firewall/router. So, I need iptables working on this one.
> Unfortunately I must have some modules loaded such as ip_tables,
> iptables_nat, etc.
> Where can I do this without making mad trying it?
> Thank you  very much
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I am using xen 3.0.2 stable and iptables is compiled as module.

Inside domU, i tried the following

-bash-3.00# modprobe iptable_filter
ip_tables: (C) 2000-2006 Netfilter Core Team
-bash-3.00# modprobe iptable_raw
-bash-3.00# modprobe iptable_nat
Netfilter messages via NETLINK v0.30.
ip_conntrack version 2.4 (1056 buckets, 8448 max) - 312 bytes per conntrack
-bash-3.00# modprobe iptable_mangle

Now if i try to load iptables rpm, and run iptables -L, i get the following

iptables v1.2.11: can''t initialize iptables table `filter'':
Module is wrong
version
Perhaps iptables or your kernel needs to be upgraded.

Any ideas on how to solve it ?

On 5/27/06, Sadique <sadique@vanillanetworks.com>
wrote:
>
> I am not sure whether iptables module is compiled into the Dom-U kernel
> by default in xen binary packages.
> The best option for you should be to complie xen kernel from source and
> add iptables support statically to the kernel.
>
> make menuconfig
> Networking  ---> Networking options  --->  Network packet filtering
> (replaces ipchains)  --->  Core Netfilter Configuration  ---> 
Netfilter
> Xtables support (required for ip_tables) and do enable all modules
> included in that as per your need.
> Then go to - Networking  ---> Networking options  --->  Network
packet
> filtering (replaces ipchains)  ---> IP: Netfilter Configuration  --->
> IP tables support (required for filtering/masq/NAT)
>
> You can only go to the second step after doing the first one.
>
>
> It''s best you add the iptables support statically into the kernel
rather
> than enabling it as a module. Why? If you compile it as a module you need
to
> copy the module to every Dom-U manually.
>
> Thanks
> Sadique
>
> miguel c wrote:
>
> > Hi, I''m running xen 2.0 in a Fedora Core 3 distro. My problem
is that
> > I want to configure a virtual machine so that works as a
> > firewall/router. So, I need iptables working on this one.
> > Unfortunately I must have some modules loaded such as ip_tables,
> > iptables_nat, etc.
> > Where can I do this without making mad trying it?
> > Thank you  very much
> >
> >
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@lists.xensource.com
> > http://lists.xensource.com/xen-users
> >
> >
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>


-- 
regards,

Anand Gupta


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Anand Gupta wrote:
> I am using xen 3.0.2 stable and iptables is compiled as module.
>
> Inside domU, i tried the following
>
> -bash-3.00# modprobe iptable_filter
> ip_tables: (C) 2000-2006 Netfilter Core Team
> -bash-3.00# modprobe iptable_raw
> -bash-3.00# modprobe iptable_nat
> Netfilter messages via NETLINK v0.30.
> ip_conntrack version 2.4 (1056 buckets, 8448 max) - 312 bytes per
> conntrack
> -bash-3.00# modprobe iptable_mangle
>
> Now if i try to load iptables rpm, and run iptables -L, i get the
> following
>
> iptables v1.2.11: can''t initialize iptables table
`filter'': Module is
> wrong version
> Perhaps iptables or your kernel needs to be upgraded.
>
> Any ideas on how to solve it ?
>
> On 5/27/06, *Sadique* <sadique@vanillanetworks.com
> <mailto:sadique@vanillanetworks.com>> wrote:
>
>     I am not sure whether iptables module is compiled into the Dom-U
>     kernel
>     by default in xen binary packages.
>     The best option for you should be to complie xen kernel from
>     source and
>     add iptables support statically to the kernel.
>
>     make menuconfig
>     Networking  ---> Networking options  --->  Network packet
filtering
>     (replaces ipchains)  --->  Core Netfilter
>     Configuration  --->  Netfilter
>     Xtables support (required for ip_tables) and do enable all modules
>     included in that as per your need.
>     Then go to - Networking  ---> Networking options  --->  Network
packet
>     filtering (replaces ipchains)  ---> IP: Netfilter Configuration 
--->
>     IP tables support (required for filtering/masq/NAT)
>
>     You can only go to the second step after doing the first one.
>
>
>     It''s best you add the iptables support statically into the
kernel
>     rather than enabling it as a module. Why? If you compile it as a
>     module you need to copy the module to every Dom-U manually.
>
>     Thanks
>     Sadique
>
>     miguel c wrote:
>
>     > Hi, I''m running xen 2.0 in a Fedora Core 3 distro. My
problem is
>     that
>     > I want to configure a virtual machine so that works as a
>     > firewall/router. So, I need iptables working on this one.
>     > Unfortunately I must have some modules loaded such as ip_tables,
>     > iptables_nat, etc.
>     > Where can I do this without making mad trying it?
>     > Thank you  very much
>     >
>     >
>     >
>     > _______________________________________________
>     > Xen-users mailing list
>     > Xen-users@lists.xensource.com
<mailto:Xen-users@lists.xensource.com>
>     > http://lists.xensource.com/xen-users
>     >
>     >
>
>
>     _______________________________________________
>     Xen-users mailing list
>     Xen-users@lists.xensource.com
<mailto:Xen-users@lists.xensource.com>
>     http://lists.xensource.com/xen-users
>
>
>
>
> -- 
> regards,
>
> Anand Gupta
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Xen-users mailing list
>Xen-users@lists.xensource.com
>http://lists.xensource.com/xen-users
>
Did you copy the modules from /lib/modules/lib/modules/2.6.16-xenU or
from the source/dist ...  of Dom-0  to the /lib/modules/2.6.16-xenU of
Dom-U? You should do that for all dom-U''s or this should be added to
the
default template.

I have always compiled iptables support statically to the Dom-U kernel
and iptables works fine for me. Have not yet tested as a module.

-- 
Sadique PP
Sr. System Administrator
Vanilla Networks Pvt Ltd
SDF-IT Building, Infopark
Kakkanad, Cochin, India 682030

Mobile: +919895643639


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On 6/8/06, Sadique <sadique@vanillanetworks.com>
wrote:
>
> Did you copy the modules from /lib/modules/lib/modules/2.6.16-xenU or
> from the source/dist ...  of Dom-0  to the /lib/modules/2.6.16-xenU of
> Dom-U? You should do that for all dom-U''s or this should be added
to the
> default template.
>
> I have always compiled iptables support statically to the Dom-U kernel
> and iptables works fine for me. Have not yet tested as a module.
>
I copied all modules from /lib/modules/2.6.16-xen from dom0 to domU.

Thats when i do a modprobe, however after i install the iptables rpm, i get
the iptables error about incorrect version.

-- 
regards,

Anand Gupta


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

hi, ok this is because the modules you have in /lib/modules are from another 
Kernel. Dom0 kernel maybe. So I thing you should find DomU kernel sources, 
you can do so by installing xen from sources instead of binaries (I think). 
Then recompile it making available iptables option.

Regards



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

The sources are from the xen kernel which is the default kernel compiled by
xen.

I selected the iptables to be compiled inside the kernel, however still the
same problem.

On 6/9/06, miguel c <muxutzu@hotmail.com> wrote:
>
> hi, ok this is because the modules you have in /lib/modules are from
> another
> Kernel. Dom0 kernel maybe. So I thing you should find DomU kernel sources,
> you can do so by installing xen from sources instead of binaries (I
> think).
> Then recompile it making available iptables option.
>
> Regards
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>


-- 
regards,

Anand Gupta


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users