Xen users - Feb 2008 - Has anyone successfully set up a dhcp/iptables firewall in dom0 NATing traffic from domU?

I''ve been struggling with this problem for a few days now perhaps
someone here has had experience with this problem already.  I am
trying to set up a rack server lke this:

dom0: iptables/dhcp
dom1: LAMP server
dom2: MAIL server
dom3: VNC vm for graphical admin and web tools

Dom0 has one physical interface eth0 which receives a static ip, i
have also set up a bridge called br0 that i have bound dnsmasq to in
order to dole out ips to the domU''s.  The domU''s are assigned
a mac
address and once they boot dhclient requests an ip over 192.168.0.1
which works well.  Once the domU has booted I can ping the other
domU''s by ip and the br0 itself at 192.168.0.1 as well as accessing
all the servers in the domUs in my internal network.  I.e. I can hit
the webserver in dom1 from dom3.  I can also ping external sites by
domain name like google.com.  Unfortunately that is about all I can
do.  I cannot access any other form of net traffic from inside the
domU, i.e I cannot access the web or rsync.  My question is basically,
is this a problem with Xen networking or is it a problem with
iptables?  Both?

 - Rich

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> I''ve been struggling with this problem for a few days now perhaps
someone here has had experience with this problem already.  I am trying
to set up a rack server lke this:
>
> dom0: iptables/dhcp
> dom1: LAMP server
> dom2: MAIL server
> dom3: VNC vm for graphical admin and web tools
>
> Dom0 has one physical interface eth0 which receives a static ip, i have
also set up a bridge called br0 that i have bound dnsmasq to in order to
dole out ips to the domU''s.  The domU''s are assigned a mac
address and
once they boot dhclient requests an ip over 192.168.0.1 which works
well.  Once the domU has booted I can ping the other domU''s by ip and
the br0 itself at 192.168.0.1 as well as accessing all the servers in
the domUs in my internal network.  I.e. I can hit the webserver in dom1
from dom3.  I can also ping external sites by domain name like
google.com.  Unfortunately that is about all I can do.  I cannot access
any other form of net traffic from inside the domU, i.e I cannot access
the web or rsync.  My question is basically, is this a problem with Xen
networking or is it a problem with
> iptables?  Both?
>
>  - Rich
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
>
Yes here http://homie.homelinux.net/wordpress/?p=11





_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi,

For what it''s worth I''ve come to the conclusion that the best
policy is to run *nothing* in the Dom0 above and beyond what you absolutely
need. In my case, no iptables whatsoever and nothing listening on a public
interface save ssh which is protected by hosts allow.
(then run everything else on a second/private eth)

There appears to be a rather nasty bug somewhere in the IP stack, I''m
thinking it''s in conntrak with regards to bridging with Xen in
Dom0''s, which ultimately causes lots of problems including machine
lockouts.

Since scrapping iptables I''ve not had a single lockup. (across 6
machines and 18 DomU''s)
[I''m working with kernels 2.6.2x]

hth
Gareth.


----- Original Message -----
step 3.: "Juergen Schinker" <ba1020@homie.homelinux.net>
To: xen-users@lists.xensource.com
Sent: 12 February 2008 11:47:20 o''clock (GMT) Europe/London
Subject: Re: [Xen-users] Has anyone successfully set up a dhcp/iptables     
firewall in dom0 NATing traffic from domU?
> I''ve been struggling with this problem for a few days now perhaps
someone here has had experience with this problem already.  I am trying
to set up a rack server lke this:
>
> dom0: iptables/dhcp
> dom1: LAMP server
> dom2: MAIL server
> dom3: VNC vm for graphical admin and web tools
>
> Dom0 has one physical interface eth0 which receives a static ip, i have
also set up a bridge called br0 that i have bound dnsmasq to in order to
dole out ips to the domU''s.  The domU''s are assigned a mac
address and
once they boot dhclient requests an ip over 192.168.0.1 which works
well.  Once the domU has booted I can ping the other domU''s by ip and
the br0 itself at 192.168.0.1 as well as accessing all the servers in
the domUs in my internal network.  I.e. I can hit the webserver in dom1
from dom3.  I can also ping external sites by domain name like
google.com.  Unfortunately that is about all I can do.  I cannot access
any other form of net traffic from inside the domU, i.e I cannot access
the web or rsync.  My question is basically, is this a problem with Xen
networking or is it a problem with
> iptables?  Both?
>
>  - Rich
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
>
Yes here http://homie.homelinux.net/wordpress/?p=11





_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> Hi,
>
> For what it''s worth I''ve come to the conclusion that the
best policy is to
> run *nothing* in the Dom0 above and beyond what you absolutely need. In my
> case, no iptables whatsoever and nothing listening on a public interface
> save ssh which is protected by hosts allow.
> (then run everything else on a second/private eth)
>
maybe but most people use a host with iptables and migrating all services
to DomU is hard so easiest way seams to me to solve the bug and not get
all users to do an workaroaund

i never had an lockout...kernel 2.6.20-xen-r6 Xen3.1 bridging mode

> There appears to be a rather nasty bug somewhere in the IP stack,
I''m
> thinking it''s in conntrak with regards to bridging with Xen in
Dom0''s,
> which ultimately causes lots of problems including machine lockouts.
>
> Since scrapping iptables I''ve not had a single lockup. (across 6
machines
> and 18 DomU''s)
> [I''m working with kernels 2.6.2x]
>
> hth
> Gareth.
>
>
> ----- Original Message -----
> step 3.: "Juergen Schinker" <ba1020@homie.homelinux.net>
> To: xen-users@lists.xensource.com
> Sent: 12 February 2008 11:47:20 o''clock (GMT) Europe/London
> Subject: Re: [Xen-users] Has anyone successfully set up a dhcp/iptables
>   firewall in dom0 NATing traffic from domU?
>
>> I''ve been struggling with this problem for a few days now
perhaps
> someone here has had experience with this problem already.  I am trying
> to set up a rack server lke this:
>>
>> dom0: iptables/dhcp
>> dom1: LAMP server
>> dom2: MAIL server
>> dom3: VNC vm for graphical admin and web tools
>>
>> Dom0 has one physical interface eth0 which receives a static ip, i have
> also set up a bridge called br0 that i have bound dnsmasq to in order to
> dole out ips to the domU''s.  The domU''s are assigned a
mac address and
> once they boot dhclient requests an ip over 192.168.0.1 which works
> well.  Once the domU has booted I can ping the other domU''s by ip
and
> the br0 itself at 192.168.0.1 as well as accessing all the servers in
> the domUs in my internal network.  I.e. I can hit the webserver in dom1
> from dom3.  I can also ping external sites by domain name like
> google.com.  Unfortunately that is about all I can do.  I cannot access
> any other form of net traffic from inside the domU, i.e I cannot access
> the web or rsync.  My question is basically, is this a problem with Xen
> networking or is it a problem with
>> iptables?  Both?
>>
>>  - Rich
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
>>
>>
> Yes here http://homie.homelinux.net/wordpress/?p=11
>
>
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
>


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users