[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] so close! just an iptables rule away.....?


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Rob Dyke <robdyke@xxxxxxxxx>
  • Date: Thu, 24 Nov 2005 10:25:29 +0000
  • Delivery-date: Thu, 24 Nov 2005 10:25:35 +0000
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=MfUZa5qXn4JfF4asAeDlDqbMgdmaZI1b0wHLv1rIYmXWC94m6uao6VMFPX1AZ8ua6vHjTd343oANJUcaJH4zSqoxz3uVDiT7ME2Q6Fo8ZeF7qYJS7+xCfW4UzY1pwIVIlCg2m5YxW7pEvYiaCAI78TRoSF+pxnk518UnuiGtWCc=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi,

I've been making leaps and strides with Xen on FC4. It has been easy to get installed and to start our first virtual host.
I've got one outstanding issue with iptables that is preventing me progressing further.

This is a colo'd server. It has s single NIC with public IPs.
The bridge is set to come up binding vif* <> xen-br0 <> eth1.
I can start a virtual host and I am able to ping & SSH to the virtual host.

I am not able to resolve DNS query from my virtual host though - tcpdump shows Admin Prohibited
e.g.: 14:45:01.527142 IP dellserver.comwifinet.lan > vm-colo1.comwifinet.lan: icmp 80: host 217.160.133.239 unreachable - admin prohibited

If I drop IP tables then all name resolution works from the virtual machines.

I have not had any success with adding the iptables rules as shown in the wiki

# iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
8216  809K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in eth1 ! --physdev-out eth1
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match ! --physdev-in eth1 --physdev-out eth1

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
1844  216K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1256 packets, 373K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target     prot opt in     out     source               destination
   42  3108 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   19  1540 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631
3296  287K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    2   116 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
    9   740 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    7   336 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    4   228 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
6681  732K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Running 2.6.12-1.1398_FC4xen0
I have read https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161792 - is this the cause of my problems? do I need to run a newer kernel to resolve this issue?

Thanks for any advice - please prompt me to supply further info (e.g. credit card number, inside leg measurement, etc......)

/rob

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.