WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Xen
Home Products Support Community News

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
<prev [Thread] next>

Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly

from [Brad Plant] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly
From: Brad Plant <bplant@xxxxxxxxxxxx>
Date: 2007年4月19日 21:26:02 +1000
Delivery-date: 2007年4月19日 04:24:54 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <46272754.6070803@xxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <462717BC.6020602@xxxxxxxxxxxxxxx> <1176968610.3967.2.camel@xxxxxxxxxxxxxxxxxxxxxxxx> <46272754.6070803@xxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
I am having this issue also. It appears to be random though on our lightly 
loaded development boxes. It is also always in bursts for one connection too. 
As all the returning packets hit the log rule and then everything runs fine for 
maybe half an hour.
I have observed the problem with xen versions 3.0.3 and 3.0.4.
Cheers,
Brad
On 2007年4月19日 10:24:52 +0200
Maik Brauer <mailinglist@xxxxxxxxxxxxxxx> wrote:
> Hello,
>
> this is not working in my case.
> The Problem still exist.
> If this is a real problem, some other people should have the same
> issue.
>
> Are there any suggestions ??
>
> Regards
> Maik
>
>
> Christo Buschek wrote:
> > Hello Maik.
> >
> > I don't really have an explanation for you, but for me to make
> > iptables work I had to run 'ethtool -K eth0 tx off' inside the vm
> > and dom0 on the device. That made iptables work for me.
> >
> > Maybe it also helps you.
> >
> > greetinx
> > Christo
> >
> > On Thu, 2007年04月19日 at 09:18 +0200, Maik Brauer wrote:
> > 
> >> Hello,
> >>
> >> I've installed XEN3.0.4-1 and problems with the IPtables settings.
> >> Please see below the firewall settings for Domain0:
> >> Chain INPUT (policy ACCEPT)
> >> target prot opt source destination
> >> ACCEPT 0 -- anywhere anywhere
> >> ACCEPT tcp -- anywhere mbs-rootsrv tcp
> >> dpt:ssh ACCEPT 0 -- anywhere
> >> anywhere ctstate RELATED,ESTABLISHED
> >> LOG 0 -- anywhere anywhere LOG
> >> level warning
> >> DROP 0 -- anywhere anywhere
> >>
> >> Chain FORWARD (policy ACCEPT)
> >> target prot opt source destination
> >>
> >> Chain OUTPUT (policy ACCEPT)
> >> target prot opt source destination
> >>
> >>
> >> But then for example connection which are related to a server
> >> request (DNS requests / port53, etc) will be blocked by the
> >> firewall. Here is an example of an request:
> >> Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53
> >> Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=26.104.239.90 DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00
> >> TTL=55 ID=44193 PROTO=UDP SPT=31178 DPT=1026 LEN=373
> >> Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53
> >> Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.100.100 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32805 LEN=53
> >> Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53
> >> Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0
> >> PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00
> >> SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00
> >> TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53
> >>
> >>
> >> When I flush the Iptables or I will put in each request then
> >> everthing is working fine. But you never now which server will
> >> answer to a request, so it is
> >> impossible to configure all ip-addresses. This should be done due
> >> to the line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED
> >> -j ACCEPT which is unfortunately not working.
> >>
> >> What is the problem and the solution ?
> >> Many Thanks.
> >>
> >> Kind Regards,
> >> Maik Brauer
> >>
> >>
> >>
> >> _______________________________________________
> >> Xen-users mailing list
> >> Xen-users@xxxxxxxxxxxxxxxxxxx
> >> http://lists.xensource.com/xen-users 
> >>
> >> 
> >
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users 
> > 
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date: RE: [Xen-users] Live Migration, ARP, MAC addresses and switches , Petersson, Mats
Next by Date: Re: [Xen-users] exec of init (/sbin/init) failed!!!: No such file ordirectory , Emre ERALTAN
Previous by Thread: Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly , Maik Brauer
Next by Thread: Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly , Olivier Le Cam
Indexes: [Date] [Thread] [Top] [All Lists]

Copyright ©, Citrix Systems Inc. All rights reserved. Legal and Privacy
Citrix This site is hosted by Citrix

AltStyle によって変換されたページ (->オリジナル) /