Hi Everyone,
I have a weird problem with IPTables which I think might be related to
something the vif-bridge script is doing.
IPTables wont start, the following non descript error is given (Line 3
is "*filter"):
Applying iptables firewall rules: iptables-restore v1.3.5:
iptables-restore: una''le to initializetable ''filter
Error occurred at line: 3
Try `iptables-restore -h'' or ''iptables-restore
--help'' for more
information.
[FAILED]
IPTables wont accept even the most basic of config files.
The trouble is I think the Xen script is adding additional rules that
are not in /etc/sysconfig/iptables. /var/log/messages shows the
following:
Oct 8 09:29:59 mrtickle logger: /etc/xen/scripts/vif-bridge: iptables
-A FORWARD -m physdev --physdev-in vif1.1 -j ACCEPT failed. If you are
using iptables, this may affect networking for guest domains.
Is this likely the cause of iptables not starting? That rule is not in
my iptables config file, all network scripts in xend-config.sxp are
commented out so I assume it must run the script when I start a VM?
My config is eth0 -> wanbr bridge
Eth1 -> lanbr bridge
Eth2 -> Dom0Lan
Eth3 -> Dom0Wan
Eth4 - Unused
Eth5 - Unused
Ib0 - Used for Live migration and DRBD disk replication
I only want IPTables to run on Eth3. The current config works and both
bridges work within HVMs, I just can''t start IPTables, below is my
IPTables config file which I think is OK since the Xen server''s near
identical partner (Only different IPs and hostname) work fine with the
same config file:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i ib0 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth2 -j ACCEPT
-A RH-Firewall-1-INPUT -i wanbr -j ACCEPT
-A RH-Firewall-1-INPUT -i lanbr -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 45022
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
5900:6000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Any clues to a fix would be much appreciated.
Rob
The SAQ Group
Registered Office: 18 Chapel Street, Petersfield, Hampshire. GU32 3DZ
SEMTEC Limited trading as SAQ is Registered in England & Wales
Company Number: 06481952
http://www.saqnet.co.uk AS29219
SAQ Group Delivers high quality, honestly priced communication and I.T. services
to UK Business.
DSL : Domains : Email : Hosting : CoLo : Servers : Racks : Transit : Backups :
Managed Networks : Remote Support.
Find us in http://www.thebestof.co.uk/petersfield
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users