Xen users - Jun 2007 - Xen and iptables

Is there something about Xen and iptables that I don''t know about.

I converted a VMWare Centos 4.4 system to run under Xen 3.0.2 on Ubuntu 6.06.

When I try to run iptables on the Centos VM I get this error.

iptables -L
iptables v1.2.11: can''t initialize iptables table `filter'':
iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I suspect that there is something I have to do on the domU to get it
to work or that I may have to copy something over from the domU.

What should I do?

/voipfc

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 4 Jun 2007, Frank Church wrote:
> When I try to run iptables on the Centos VM I get this error.
>
> iptables -L
> iptables v1.2.11: can''t initialize iptables table
`filter'': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.

you need to load the iptables module.

with centos4, you can try:

/etc/init.d/iptables start

with other distros you probably want a modprobe.


verify you have the modules installed in /lib/modules/`uname -r`


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Jun 04, 2007 at 01:13:30AM +0100, Frank Church
wrote:
> I converted a VMWare Centos 4.4 system to run under Xen 3.0.2 on Ubuntu 
> 6.06.
> 
> When I try to run iptables on the Centos VM I get this error.
> 
> iptables -L
> iptables v1.2.11: can''t initialize iptables table
`filter'': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> 
> I suspect that there is something I have to do on the domU to get it
> to work or that I may have to copy something over from the domU.
As Luke has mentioned, make sure that the modules for the running domU
kernel are available in /lib/modules, and also that the module.dep file is
up to date (consider a depmod run in the VM to make sure).

Verifying that the iptables module is available and loaded is quite simple. 
Run ''lsmod |grep ip_tables'' and if there''s any
output, you''ve got IP tables
loaded.  If not, try ''modprobe ip_tables'' and make sure it
doesn''t give any
errors.

If you still get the same error after you''ve verified that the
ip_tables
module is loaded, then you''ve probably hit my favourite
glitch-of-the-week.

You''re probably running a 32-bit VM userland on a 64-bit domU
kernel/hypervisor, and so the 32-bit iptables binary can''t talk to your
64-bit kernel (architecture-dependent data structures, doncha know).  You
need to get a 64-bit libc and dynamic loader, and get a 64-bit
/sbin/iptables and /lib/iptables/* onto your domU.  I don''t know how to
do
that on a CentOS box, though, short of a bunch of manual scp work.  I could
tell you how easy it is on a Debian/Ubuntu VM, but that wouldn''t be
very
helpful for you.

- Matt

-- 
Another Fine Product From The Nonsense Factory.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, 2007-06-04 at 01:13 +0100, Frank Church wrote:
> Is there something about Xen and iptables that I don''t know about.
> 
> I converted a VMWare Centos 4.4 system to run under Xen 3.0.2 on Ubuntu
6.06.
> 
> When I try to run iptables on the Centos VM I get this error.
> 
> iptables -L
> iptables v1.2.11: can''t initialize iptables table
`filter'': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> 
> I suspect that there is something I have to do on the domU to get it
> to work or that I may have to copy something over from the domU.
> 
> What should I do?
Copy over the correct kernel modules (lib/moudles/`uname -r` is
existentially challenged in your dom-u)

Best,
--Tim
> /voipfc
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On 04/06/07, Frank Church <voipfc@googlemail.com>
wrote:
> Is there something about Xen and iptables that I don''t know about.
>
> I converted a VMWare Centos 4.4 system to run under Xen 3.0.2 on Ubuntu
6.06.
>
> When I try to run iptables on the Centos VM I get this error.
>
> iptables -L
> iptables v1.2.11: can''t initialize iptables table
`filter'': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
>
> I suspect that there is something I have to do on the domU to get it
> to work or that I may have to copy something over from the domU.
>
> What should I do?
>
> /voipfc
>
After going through your responses I think I have to start from scratch.
When I run modprobe ip_tables there is no error report.

When I run iptables -L on the domU this is the output

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif14.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif15.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif22.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif26.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif28.0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


What is the command to check that the iptables module is stored on the VM?

Is there supposed to be some .ko file in the modules directory?


modprobe ip_tables gives no error messages.on the VM

service ip_tables restart give the message below.
============================================Flushing firewall rules:            
[  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]

 /sbin/iptables -V on the VM outputs.
iptables v1.2.11

 /sbin/iptables -V on the host outputs.
iptables v1.3.3

service apf restart on the VM outputs

Stopping APF:                                              [  OK  ]
Starting APF:Unable to load iptables module (ipt_state), aborting.
                                                           [  OK  ]

Do I have to insmod ipt_state etc for those modules to be installed?

Grepping modules.dep on both host and source shows that iptables is
installed. I copied the whole lib/modules folder to the VM, and  I
will restart it again to see if it works.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On 04/06/07, Frank Church <voipfc@googlemail.com>
wrote:
> On 04/06/07, Frank Church <voipfc@googlemail.com> wrote:
> > Is there something about Xen and iptables that I don''t know
about.
> >
> > I converted a VMWare Centos 4.4 system to run under Xen 3.0.2 on
Ubuntu 6.06.
> >
> > When I try to run iptables on the Centos VM I get this error.
> >
> > iptables -L
> > iptables v1.2.11: can''t initialize iptables table
`filter'': iptables
> > who? (do you need to insmod?)
> > Perhaps iptables or your kernel needs to be upgraded.
> >
> > I suspect that there is something I have to do on the domU to get it
> > to work or that I may have to copy something over from the domU.
> >
> > What should I do?
> >
> > /voipfc
> >
>
> After going through your responses I think I have to start from scratch.
> When I run modprobe ip_tables there is no error report.
>
> When I run iptables -L on the domU this is the output
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere            PHYSDEV
> match --physdev-in vif14.0
> ACCEPT     all  --  anywhere             anywhere            PHYSDEV
> match --physdev-in vif15.0
> ACCEPT     all  --  anywhere             anywhere            PHYSDEV
> match --physdev-in vif22.0
> ACCEPT     all  --  anywhere             anywhere            PHYSDEV
> match --physdev-in vif26.0
> ACCEPT     all  --  anywhere             anywhere            PHYSDEV
> match --physdev-in vif28.0
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
>
> What is the command to check that the iptables module is stored on the VM?
>
> Is there supposed to be some .ko file in the modules directory?
>
>
> modprobe ip_tables gives no error messages.on the VM
>
> service ip_tables restart give the message below.
> ============================================> Flushing firewall rules:  
[  OK  ]
> Setting chains to policy ACCEPT: filter                    [  OK  ]
> Unloading iptables modules:                                [  OK  ]
>
>  /sbin/iptables -V on the VM outputs.
> iptables v1.2.11
>
>  /sbin/iptables -V on the host outputs.
> iptables v1.3.3
>
> service apf restart on the VM outputs
>
> Stopping APF:                                              [  OK  ]
> Starting APF:Unable to load iptables module (ipt_state), aborting.
>                                                            [  OK  ]
>
> Do I have to insmod ipt_state etc for those modules to be installed?
>
> Grepping modules.dep on both host and source shows that iptables is
> installed. I copied the whole lib/modules folder to the VM, and  I
> will restart it again to see if it works.
>
After I restarting the server I realized that apf had to be recompiled
against the modules and that fixed everything.

Thanks for the help

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users