thr3ads.net - Xen users - [Xen-users] iptables and state matches (established, related) [Apr 2007]

If this information is useful, please help other people find it:
Share via:

Andrey Oreshnikov

2007-Apr-09 12:12 UTC

[Xen-users] iptables and state matches (established, related)

I use xen-3.0.4_1 ( linux-2.6.16.33 ) and have some promblem with it
and iptables. I installed both from source and from rpms for Suse. The
problem is in both.

The iptables state match don''t work in INPUT and OUTPUT chains but
work in FORWARD chain. For example rule

iptables  -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

don''t match any packets in established connection.

Necessarily modules are loaded

# lsmod | grep conntrack
ip_conntrack_ftp       12144  1 ip_nat_ftp
ip_conntrack           58584  3 ip_nat_ftp,ip_nat,ip_conntrack_ftp
nfnetlink              10520  2 ip_nat,ip_conntrack

# cat /proc/net/ip_conntrack
tcp      6 186909 ESTABLISHED src=192.168.0.170 dst=192.168.0.124
sport=29664 dport=22 packets=1 bytes=52 [UNREPLIED] src=192.168.0.124
dst=192.168.0.170 sport=22 dport=29664 packets=0 bytes=0 mark=0 use=1

This rule work fine:

IPTABLES   -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

In xen-3.0.2 from sles distribution this problem is absent.
any suggestion?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Andrey Oreshnikov

2007-Apr-10 10:44 UTC

head link

[Xen-users] iptables and state matches (established, related)

I use xen-3.0.4_1 ( linux-2.6.16.33 ) and have some promblem with it
and iptables. I installed both from source and from rpms for Suse. The
problem is in both.

The iptables state match don''t work in INPUT and OUTPUT chains but
work in FORWARD chain. For example rule

iptables  -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

don''t match any packets in established connection.

Necessarily modules are loaded

# lsmod | grep conntrack
ip_conntrack_ftp       12144  1 ip_nat_ftp
ip_conntrack           58584  3 ip_nat_ftp,ip_nat,ip_conntrack_ftp
nfnetlink              10520  2 ip_nat,ip_conntrack

# cat /proc/net/ip_conntrack
tcp      6 186909 ESTABLISHED src=192.168.0.170 dst=192.168.0.124
sport=29664 dport=22 packets=1 bytes=52 [UNREPLIED] src=192.168.0.124
dst=192.168.0.170 sport=22 dport=29664 packets=0 bytes=0 mark=0 use=1

This rule work fine:

IPTABLES   -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

In xen-3.0.2 from sles distribution this problem is absent.
any suggestion?

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Tomas Lund

2007-Apr-20 11:18 UTC

head link

Re: [Xen-users] iptables and state matches (established, related)

On Tue, 10 Apr 2007, Andrey Oreshnikov wrote:
> I use xen-3.0.4_1 ( linux-2.6.16.33 ) and have some promblem with it and 
> iptables. I installed both from source and from rpms for Suse. The 
> problem is in both.
>
> The iptables state match don''t work in INPUT and OUTPUT chains but
work
> in FORWARD chain. For example rule
>
> iptables  -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> don''t match any packets in established connection.
>
> Necessarily modules are loaded
>
> # lsmod | grep conntrack
> ip_conntrack_ftp       12144  1 ip_nat_ftp
> ip_conntrack           58584  3 ip_nat_ftp,ip_nat,ip_conntrack_ftp
> nfnetlink              10520  2 ip_nat,ip_conntrack
>
> # cat /proc/net/ip_conntrack
> tcp 6 186909 ESTABLISHED src=192.168.0.170 dst=192.168.0.124 sport=29664 
> dport=22 packets=1 bytes=52 [UNREPLIED] src=192.168.0.124 
> dst=192.168.0.170 sport=22 dport=29664 packets=0 bytes=0 mark=0 use=1
>
> This rule work fine:
>
> IPTABLES   -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> In xen-3.0.2 from sles distribution this problem is absent. any 
> suggestion?
I can confirm the problem Andrey is describing.

When I try to connect to an external host, the "SYN_SENT" state does
not
show up in /proc/net/ip_conntrack and the SYN+ACK packet from the external 
host is dropped. (The "SYN_SENT" state is what allows the iptables 
"ESTABLISHED" match to occur.)

Before starting XEN (and the briding) it works with the same iptables 
rules. (See rules below)

I''m not sure this really has anything to do with XEN, but rather how
the
bridging works, but I "hope" that other people on this list has the
same
problem, and possibly someone has even found a solution?

Sample commands to reproduce the problem:

iptables -F
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
telnet [host] [port]

//tlund


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

John Hannfield

2007-Apr-28 12:49 UTC

head link

Re: [Xen-users] iptables and state matches (established, related)

This is a known problem with Xen 3.0.x  and iptables connection tracking.
Connection tracking and state filtering only works as long as xen is
not running.
Try doing this:

echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables

That fixed it for me.


-- 

John

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Geert Janssens

2007-Apr-30 14:29 UTC

head link

Re: [Xen-users] iptables and state matches (established, related)

Hi,

I''m just about to setup xen together with iptables, so this statement
slightly
worries me.

Do you have more details (or a link to them) about this problem ? What are the 
exact symptoms and in which circumstances do the occur ?

For example, is this a problem when using iptables in dom0 or in domU or in 
both ?

Or does it only happen when trying to apply connection tracking on the bridge 
level ?

Geert

On Saturday 28 April 2007 14:49, John Hannfield wrote:> This is a known problem with Xen 3.0.x  and iptables connection tracking.
> Connection tracking and state filtering only works as long as xen is
> not running.
> Try doing this:
>
> echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables
>
> That fixed it for me.
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Marc Patino Gómez

2007-May-03 07:04 UTC

head link

Re: [Xen-users] iptables and state matches (established, related)

I have the same problem, and also

echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables

solves it. I don''t known the reason, so I will read some doc about it.
Thanks John !!


John Hannfield wrote:> This is a known problem with Xen 3.0.x  and iptables connection tracking.
> Connection tracking and state filtering only works as long as xen is
> not running.
> Try doing this:
>
> echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables
>
> That fixed it for me.
>
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Daniel P. Berrange

2007-May-03 11:17 UTC

head link

Re: [Xen-users] iptables and state matches (established, related)

On Thu, May 03, 2007 at 09:04:53AM +0200, Marc Patino G?mez
wrote:> I have the same problem, and also
> 
> echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables
> 
> solves it. I don''t known the reason, so I will read some doc about
it.
Its a pretty confusing bit of iptables. Basically if you have that
setting at 0, then traffic going between 2 interfaces in a bridge
will not hit iptables. If you have it set to 1, then it''ll have a
normal set of iptables rules applied. There are use cases for both
possible settings.

If you''re using the regular network-bridge, with it set to zero 
you''ll see 

Traffic: Guest -> Google
------------------------

Nada

Traffic: Guest -> Host
----------------------

Out:

NAT-PREROUTING  IN=eth1 OUT=     SRC=192.168.254.120 DST=192.168.254.132
INPUT           IN=eth1 OUT=     SRC=192.168.254.120 DST=192.168.254.132

Back:

OUTPUT          IN=     OUT=eth1 SRC=192.168.254.132 DST=192.168.254.120


Traffic: Host -> Guest
----------------------

Out:

NAT-OUTPUT      IN=     OUT=eth1 SRC=192.168.254.132 DST=192.168.254.120
OUTPUT          IN=     OUT=eth1 SRC=192.168.254.132 DST=192.168.254.120
NAT-POSTROUTING IN=     OUT=eth1 SRC=192.168.254.132 DST=192.168.254.120

Back:

INPUT           IN=eth1 OUT=     SRC=192.168.254.120 DST=192.168.254.132






Now with bridge-nf-call-iptables set to 1


Traffic: Guest -> Google
------------------------

Out:

NAT-PREROUTING  IN=xenbr1 OUT=       PHYSIN=vif2.0               
SRC=192.168.254.120 DST=64.233.167.99
FORWARD         IN=xenbr1 OUT=xenbr1 PHYSIN=vif2.0 PHYSOUT=peth1 
SRC=192.168.254.120 DST=64.233.167.99
NAT-POSTROUTING IN=       OUT=xenbr1 PHYSIN=vif2.0 PHYSOUT=peth1 
SRC=192.168.254.120 DST=64.233.167.99

Back:

FORWARD         IN=xenbr1 OUT=xenbr1 PHYSIN=peth1  PHYSOUT=vif2.0
SRC=64.233.167.99   DST=192.168.254.120



Traffic: Guest -> Host
----------------------

Out:

NAT-PREROUTING  IN=xenbr1 OUT=       PHYSIN=vif2.0               
SRC=192.168.254.120 DST=192.168.254.132
FORWARD         IN=xenbr1 OUT=xenbr1 PHYSIN=vif2.0 PHYSOUT=vif0.1
SRC=192.168.254.120 DST=192.168.254.132
NAT-POSTROUTING IN=       OUT=xenbr1 PHYSIN=vif2.0 PHYSOUT=vif0.1
SRC=192.168.254.120 DST=192.168.254.132
INPUT           IN=eth1   OUT=                                   
SRC=192.168.254.120 DST=192.168.254.132

Back:

OUTPUT          IN=       OUT=eth1                               
SRC=192.168.254.132 DST=192.168.254.120
FORWARD         IN=xenbr1 OUT=xenbr1 PHYSIN=vif0.1 PHYSOUT=vif2.0
SRC=192.168.254.132 DST=192.168.254.120


Traffic: Host -> Guest
----------------------

Out:

NAT-OUTPUT      IN=       OUT=eth1                               
SRC=192.168.254.132 DST=192.168.254.120
OUTPUT          IN=       OUT=eth1                               
SRC=192.168.254.132 DST=192.168.254.120
NAT-POSTROUTING IN=       OUT=eth1                               
SRC=192.168.254.132 DST=192.168.254.120
FORWARD         IN=xenbr1 OUT=xenbr1 PHYSIN=vif0.1 PHYSOUT=vif2.0
SRC=192.168.254.132 DST=192.168.254.120

Back:

FORWARD         IN=xenbr1 OUT=xenbr1 PHYSIN=vif2.0 PHYSOUT=vif0.1
SRC=192.168.254.120 DST=192.168.254.132
INPUT           IN=eth1   OUT=                                   
SRC=192.168.254.120 DST=192.168.254.132


So you''re changing what set of iptables chains get traversed
by toggling that setting.
> John Hannfield wrote:
> >This is a known problem with Xen 3.0.x  and iptables connection
tracking.
> >Connection tracking and state filtering only works as long as xen is
> >not running.
> >Try doing this:
> >
> >echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables
> >
> >That fixed it for me.
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Xen users - Apr 2007 - iptables and state matches (established, related)

[Xen-users] iptables and state matches (established, related)

[Xen-users] iptables and state matches (established, related)

Re: [Xen-users] iptables and state matches (established, related)

Re: [Xen-users] iptables and state matches (established, related)

Re: [Xen-users] iptables and state matches (established, related)

Re: [Xen-users] iptables and state matches (established, related)

Re: [Xen-users] iptables and state matches (established, related)