thr3ads.net - Xen users - [Xen-users] iptables problem [Oct 2009]

If this information is useful, please help other people find it:
Share via:

Ivan Lisenkov

2009-Oct-13 10:31 UTC

[Xen-users] iptables problem

Dear xen users,

I am using xen 3.3.1 on opensuse 11.1. After creating a domU with 2 nics two
iptables rules are created by default:

-A FORWARD -s XX.XX.XX.24/32 -m physdev  --physdev-in vif77.0 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.0 -m udp --sport 68 --dport
67 -j ACCEPT
-A FORWARD -s XX.XX.XX.25/32 -m physdev  --physdev-in vif77.1 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.1 -m udp --sport 68 --dport
67 -j ACCEPT

The rules seems logical, but one of them does no work! I can''t ping
XX.XX.XX.24 from outside. But if I change the rule manulally to:

-A FORWARD -s 188.40.226.24/32 -m physdev  --physdev-in vif77.1 -j ACCEPT

everything works. This seems unlogical, because first ip is bounded to
second nic, but works. The problem is that I have to change the rules every
I reboot domu.

Any ideas how to fix it?


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Sergey Smirnov

2009-Oct-14 15:37 UTC

head link

Re: [Xen-users] iptables problem

Hi Ivan,
maybe you should add the permanent rules in the bottom of your iptables
configuration like this? -

-A FORWARD --source domU_ip --jump ACCEPT
-A FORWARD --destination domU_ip --jump ACCEPT

so it will be works in any time without additional rules added by xen
scripts.
I use the same configuration.

On Tue, Oct 13, 2009 at 2:31 PM, Ivan Lisenkov <ivan@ivlis.com> wrote:
> Dear xen users,
>
> I am using xen 3.3.1 on opensuse 11.1. After creating a domU with 2 nics
> two iptables rules are created by default:
>
> -A FORWARD -s XX.XX.XX.24/32 -m physdev  --physdev-in vif77.0 -j ACCEPT
> -A FORWARD -p udp -m physdev  --physdev-in vif77.0 -m udp --sport 68
> --dport 67 -j ACCEPT
> -A FORWARD -s XX.XX.XX.25/32 -m physdev  --physdev-in vif77.1 -j ACCEPT
> -A FORWARD -p udp -m physdev  --physdev-in vif77.1 -m udp --sport 68
> --dport 67 -j ACCEPT
>
> The rules seems logical, but one of them does no work! I can''t
ping
> XX.XX.XX.24 from outside. But if I change the rule manulally to:
>
> -A FORWARD -s 188.40.226.24/32 -m physdev  --physdev-in vif77.1 -j ACCEPT
>
> everything works. This seems unlogical, because first ip is bounded to
> second nic, but works. The problem is that I have to change the rules every
> I reboot domu.
>
> Any ideas how to fix it?
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>


-- 
Serg Smirnov
email/xmpp: Sergey.A.Smirnov@Gmail.com


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Dustin Henning

2009-Oct-14 15:51 UTC

head link

RE: [Xen-users] iptables problem

Depending on your security needs, and the constraints of your kernel, a simpler,
potentially less resource-intensive solution might be adding this line to the
iptables configuration:

-A FORWARD -m physdev  --physdev-is-bridged -j ACCEPT

I use this setup, but I manage all of the domUs on that machine, so they
don''t need restricted at the bridge level.

Dustin

From: xen-users-bounces@lists.xensource.com
[mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Sergey Smirnov
Sent: Wednesday, October 14, 2009 11:37
To: Ivan Lisenkov
Cc: xen-users@lists.xensource.com
Subject: Re: [Xen-users] iptables problem

Hi Ivan,

maybe you should add the permanent rules in the bottom of your iptables
configuration like this? -

-A FORWARD --source domU_ip --jump ACCEPT
-A FORWARD --destination domU_ip --jump ACCEPT

so it will be works in any time without additional rules added by xen scripts.
I use the same configuration.

On Tue, Oct 13, 2009 at 2:31 PM, Ivan Lisenkov <ivan@ivlis.com> wrote:
Dear xen users,

I am using xen 3.3.1 on opensuse 11.1. After creating a domU with 2 nics two
iptables rules are created by default:

-A FORWARD -s XX.XX.XX.24/32 -m physdev  --physdev-in vif77.0 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.0 -m udp --sport 68 --dport 67
-j ACCEPT
-A FORWARD -s XX.XX.XX.25/32 -m physdev  --physdev-in vif77.1 -j ACCEPT
-A FORWARD -p udp -m physdev  --physdev-in vif77.1 -m udp --sport 68 --dport 67
-j ACCEPT

The rules seems logical, but one of them does no work! I can''t ping
XX.XX.XX.24 from outside. But if I change the rule manulally to:

-A FORWARD -s 188.40.226.24/32 -m physdev  --physdev-in vif77.1 -j ACCEPT

everything works. This seems unlogical, because first ip is bounded to second
nic, but works. The problem is that I have to change the rules every I reboot
domu.

Any ideas how to fix it?


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users



-- 
Serg Smirnov
email/xmpp: Sergey.A.Smirnov@Gmail.com



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Xen users - Oct 2009 - iptables problem

[Xen-users] iptables problem

Re: [Xen-users] iptables problem

RE: [Xen-users] iptables problem