Ok, I am setting up a new dom0 at a colo provider and usually the colo facility acts as my gateway, but at this new one, the provider is recommending that I use the server as its own gateway. That unfortunately doesnt work to well when it comes to iptables and my domU''s. IPtables do not support virtual interfaces, so I can''t just white list them unfortunately. I have tried many different iptable rules, but still can''t seem to allow the guests to have unfiltered access to and from the internet without shutting down the iptables on the dom0. Obviously thats not an option. I have tried these two rules, but no difference: iptables -I INPUT 1 -d 207.xxx.xxx.0/30 -j ACCEPT iptables -I OUTPUT 1 -s 207.xxx.xxx.0/30 -j ACCEPT Any recommendations? I am running CentOS as the dom0 and an hoping to be able to continue to use my CSF firewall script, but at this point, if I can only get help with iptables, thats fine as well. Thanks, Mark _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, May 5, 2009 at 2:42 AM, Mark Chaney <macscr@macscr.com> wrote:> Ok, I am setting up a new dom0 at a colo provider and usually the colo > facility acts as my gateway, but at this new one, the provider is > recommending that I use the server as its own gateway. That unfortunately > doesnt work to well when it comes to iptables and my domU''s. IPtables do not > support virtual interfaces, so I can''t just white list them unfortunately.If I recall correctly, xen network bridge whitelist domUs by default. Something like Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif2.0 You can use domU''s vif interface as physdev. When setting up iptables manually, it might be easier to use custom vif name using "vifname=NAME" on vif line.> > I have tried these two rules, but no difference: > iptables -I INPUT 1 -d 207.xxx.xxx.0/30 -j ACCEPT > iptables -I OUTPUT 1 -s 207.xxx.xxx.0/30 -j ACCEPTI believe that should be on FORWARD Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Possibly Parallel Threads
- virt-install HVM with url and kickstart?
- Sucessful IPtables config on Dom0 anyone?
- so close! just an iptables rule away.....?
- Missing packets on Dom0 when sniffing bridge with wireshark/tethreal
- Xen 4 + Debian Squeeze + one VM in route mode and another in nat mode