[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] so close! just an iptables rule away.....?

# iptables -L -v -n
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
8216  809K RH-Firewall-1-INPUT  all  --  *      *   
    0     0 ACCEPT     all  --  *      *     
        PHYSDEV match --physdev-in eth1 ! --physdev-out eth1
    0     0 ACCEPT     all  --  *      *     
        PHYSDEV match ! --physdev-in eth1 --physdev-out eth1

The big problem is in the FORWARD chain, the first rule in this chain says jump to the chain RH-Firewall-1-INPUT and then the subsequent rules are ignored.

So for instance in my example system my domU is on bridged interface vif3.0 in order add the ACCEPT iptables line *before* the jump to RH-Firewall I had to drop that rule and then insert it back in.

iptables -D FORWARD -j RH-Firewall-1-INPUT
iptables -A FORWARD -m physdev --physdev-in vif3.0 -j ACCEPT
iptables -A FORWARD -j RH-Firewall-1-INPUT

Same basic approach for you, just make sure your rules come before the jump or drop that rule and then add it back in after the rule changes are done.

I modified my /etc/xen/scripts/vif-common.sh to do this for me. The patch appeared in my last post.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.