Hi , I am a newbie to Xen. I created a VM and associated an IP address. Next, i disabled firewall and on ip tables allowed port 80, 22 and 8080 (for my tomcat installation) . I started httpd on VM (domU) and dom0. After that I tried connecting to dom0 httpd (webserver) port 80 from another physical server. This works and shows me the correct page when i do - http://<dom0-machine-ip>:80/. Then i try ssh to dom0 machine it works. But when i try to do the same for VM (domU) on dom0 on browser as - http://<domU-VM-ip>:80/ it does not work. Also when i try ssh to domU machine ip it says - Access Denied. Please help me resolve this. What it is that i am missing here ? Thanks Mahendra _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dustin Henning
2008-Aug-06 14:08 UTC
RE: [Xen-users] Prob Connecting VM through http or ssh
Your VM probably has its own firewall/iptables configuration… This would need reconfigured along with the one on Dom0. If you don''t have firewall/iptables on your DomU, then perhaps your rules in the iptables Forwarding table on Dom0 are wrong. Traffic going to a DomU will go through the Forwarding table instead of the Incoming table where traffic for Dom0 goes, I believe this would be true for both bridging and routing. Dustin From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Mahendra Kutare Sent: Wednesday, August 06, 2008 09:59 To: Xen-users@lists.xensource.com Subject: [Xen-users] Prob Connecting VM through http or ssh Hi , I am a newbie to Xen. I created a VM and associated an IP address. Next, i disabled firewall and on ip tables allowed port 80, 22 and 8080 (for my tomcat installation) . I started httpd on VM (domU) and dom0. After that I tried connecting to dom0 httpd (webserver) port 80 from another physical server. This works and shows me the correct page when i do - http://<dom0-machine-ip>:80/. Then i try ssh to dom0 machine it works. But when i try to do the same for VM (domU) on dom0 on browser as - http://<domU-VM-ip>:80/ it does not work. Also when i try ssh to domU machine ip it says - Access Denied. Please help me resolve this. What it is that i am missing here ? Thanks Mahendra _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mahendra Kutare
2008-Aug-06 14:16 UTC
Re: [Xen-users] Prob Connecting VM through http or ssh
This is how my DOM0 - IP table look like - [root@gdrd59 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:webcache ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth0 ! --physdev-out eth0 ACCEPT all -- anywhere anywhere PHYSDEV match ! --physdev-in eth0 --physdev-out eth0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ############################################################################################################ domU IP Table looks like this - [root@besim ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ############################################################################################################ So as can be seen dom0 as forwarding table entry here. Am i doing something wrong in forwarding ? Thanks Mahendra On Wed, Aug 6, 2008 at 10:08 AM, Dustin Henning <Dustin.Henning@prd-inc.com>wrote:> Your VM probably has its own firewall/iptables configuration… This > would need reconfigured along with the one on Dom0. If you don't have > firewall/iptables on your DomU, then perhaps your rules in the iptables > Forwarding table on Dom0 are wrong. Traffic going to a DomU will go through > the Forwarding table instead of the Incoming table where traffic for Dom0 > goes, I believe this would be true for both bridging and routing. > Dustin > > From: xen-users-bounces@lists.xensource.com [mailto: > xen-users-bounces@lists.xensource.com] On Behalf Of Mahendra Kutare > Sent: Wednesday, August 06, 2008 09:59 > To: Xen-users@lists.xensource.com > Subject: [Xen-users] Prob Connecting VM through http or ssh > > Hi , > > I am a newbie to Xen. I created a VM and associated an IP address. > > Next, i disabled firewall and on ip tables allowed port 80, 22 and 8080 > (for my tomcat installation) . > > I started httpd on VM (domU) and dom0. > > After that I tried connecting to dom0 httpd (webserver) port 80 from > another physical server. This works and shows me the correct page when i do > - http://<dom0-machine-ip>:80/. Then i try ssh to dom0 machine it works. > > But when i try to do the same for VM (domU) on dom0 on browser as - > http://<domU-VM-ip>:80/ it does not work. Also when i try ssh to domU > machine ip it says - Access Denied. > > Please help me resolve this. What it is that i am missing here ? > > Thanks > Mahendra > > > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- Only those who can risk going too far, can find out how far one can go. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dustin Henning
2008-Aug-06 15:09 UTC
RE: [Xen-users] Prob Connecting VM through http or ssh
Actually, this all looks like it should work. In fact, it looks like all traffic would be allowed in both of these iptables configurations based solely on the fact that the policy on each chain is ACCEPT and there is no rule at the end of any chain to reject or drop all traffic (nor any rule elsewhere to reject or drop specific traffic). Perhaps something else is running on the DomU and rejecting traffic, as this access denied message certainly makes it look like you have a layer 3 path to this VM (where a timeout would indicate you didn''t). To verify where the problem lies, I would try to ssh from Dom0 to DomU. I suspect you will get the same access denied error, which would most likely mean that the DomU is rejecting the traffic for some reason. Otherwise, perhaps the IP you assigned the DomU is being used elsewhere or something else on the Dom0 is rejecting the traffic. Dustin From: Mahendra Kutare [mailto:mahendra.kutare@gmail.com] Sent: Wednesday, August 06, 2008 10:17 To: Dustin.Henning@prd-inc.com; xen-users Subject: Re: [Xen-users] Prob Connecting VM through http or ssh This is how my DOM0 - IP table look like - [root@gdrd59 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:webcache ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth0 ! --physdev-out eth0 ACCEPT all -- anywhere anywhere PHYSDEV match ! --physdev-in eth0 --physdev-out eth0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ############################################################################################################ domU IP Table looks like this - [root@besim ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ############################################################################################################ So as can be seen dom0 as forwarding table entry here. Am i doing something wrong in forwarding ? Thanks Mahendra On Wed, Aug 6, 2008 at 10:08 AM, Dustin Henning <Dustin.Henning@prd-inc.com> wrote: Your VM probably has its own firewall/iptables configuration… This would need reconfigured along with the one on Dom0. If you don''t have firewall/iptables on your DomU, then perhaps your rules in the iptables Forwarding table on Dom0 are wrong. Traffic going to a DomU will go through the Forwarding table instead of the Incoming table where traffic for Dom0 goes, I believe this would be true for both bridging and routing. Dustin From: xen-users-bounces@lists.xensource.com [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Mahendra Kutare Sent: Wednesday, August 06, 2008 09:59 To: Xen-users@lists.xensource.com Subject: [Xen-users] Prob Connecting VM through http or ssh Hi , I am a newbie to Xen. I created a VM and associated an IP address. Next, i disabled firewall and on ip tables allowed port 80, 22 and 8080 (for my tomcat installation) . I started httpd on VM (domU) and dom0. After that I tried connecting to dom0 httpd (webserver) port 80 from another physical server. This works and shows me the correct page when i do - http://<dom0-machine-ip>:80/. Then i try ssh to dom0 machine it works. But when i try to do the same for VM (domU) on dom0 on browser as - http://<domU-VM-ip>:80/ it does not work. Also when i try ssh to domU machine ip it says - Access Denied. Please help me resolve this. What it is that i am missing here ? Thanks Mahendra _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users -- Only those who can risk going too far, can find out how far one can go. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users