WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Xen
Home Products Support Community News

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
<prev [Thread] next>

[Fwd: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly]

from [Maik Brauer] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Fwd: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly]
From: Maik Brauer <mailinglist@xxxxxxxxxxxxxxx>
Date: 2007年4月24日 20:51:21 +0200
Delivery-date: 2007年4月24日 11:50:51 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.0 (Windows/20070326) 
Hello,
I've still the problem. It must be possible that someone can help me, and have had the same problems. So I set p the pure xen dom0 without anything else. And then I tried to configure the iptables. 
Please find below my settings and explanation what isn't working.
Thanks.
Hello,
I've installed XEN3.0.4-1 and problems with the IPtables settings.
Please see below the firewall settings for Domain0:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT tcp -- anywhere mbs-rootsrv tcp dpt:ssh
ACCEPT 0 -- anywhere anywhere ctstate RELATED,ESTABLISHED LOG 0 -- anywhere anywhere LOG level warning 
DROP 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
But then for example connection which are related to a server request (DNS requests / port53, etc) will be blocked by the firewall. 
Here is an example of an request:
Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53 Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=26.104.239.90 DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00 TTL=55 ID=44193 PROTO=UDP SPT=31178 DPT=1026 LEN=373 Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53 Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.100.100 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32805 LEN=53 Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=53 DPT=32803 LEN=53 Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP SPT=53 DPT=32804 LEN=53 When I flush the Iptables or I will put in each request then everthing is working fine. But you never now which server will answer to a request, so it is impossible to configure all ip-addresses. This should be done due to the line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
which is unfortunately not working.
What is the problem and the solution ?
Many Thanks.
Kind Regards,
Maik Brauer
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Fwd: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly], Maik Brauer <=
Previous by Date: [Xen-users] Fully Virtualized guest on non-VT hardware? , Ihtisham Khaja
Next by Date: [Fwd: [Xen-users] Physical Network Card MAC Adress will always change to FE:FF:FF:FF:FF:FF] , Maik Brauer
Previous by Thread: [Xen-users] Fully Virtualized guest on non-VT hardware? , Ihtisham Khaja
Next by Thread: [Fwd: [Xen-users] Physical Network Card MAC Adress will always change to FE:FF:FF:FF:FF:FF] , Maik Brauer
Indexes: [Date] [Thread] [Top] [All Lists]

Copyright ©, Citrix Systems Inc. All rights reserved. Legal and Privacy
Citrix This site is hosted by Citrix

AltStyle によって変換されたページ (->オリジナル) /