thr3ads.net - Xen users - [Xen-users] dom0 iptables FORWARD default DROP? [Nov 2006]

If this information is useful, please help other people find it:
Share via:

John Hannfield

2006-Nov-25 10:47 UTC

[Xen-users] dom0 iptables FORWARD default DROP?

Hello,
What is the best policy for the FORWARD chain in dom0 iptables?
Can I use a default DROP policy?
 I notice when domains are created it adds the extra rules to the
FORWARD chain, to
allow traffic to the guests. However, if iptables is restarted, all
these rules are lost.

Do I need a rule per VPS, or can I use a single catch all to handle all of them?

http://wiki.xensource.com/xenwiki/XenNetworking
Suggests using this:

-A FORWARD -m physdev --physdev-in eth0  ! --physdev-out  eth0  -j ACCEPT
-A FORWARD -m physdev --physdev-out eth0 ! --physdev-in  eth0  -j ACCEPT

What is the recommended way to handle the FORWARD chain in dom0 iptables?

-- 

John

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Possibly Parallel Threads

Search for more maybe matching threads

Xen users - Nov 2006 - dom0 iptables FORWARD default DROP?

[Xen-users] dom0 iptables FORWARD default DROP?

Possibly Parallel Threads

Wisdom of the Ancients