Re: [Xen-users] so close! just an iptables rule away.....?

[Rob Dyke <robdyke@xxxxxxxxx>]

Thanks Michael. I'll give them your modification a go and report back.
/rob

On 30 Nov 2005, at 04:38, Michael Best wrote:

> > Hi,
> > # iptables -L -v -n
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target     prot opt in     out     source                
> > destination
> > 8216  809K RH-Firewall-1-INPUT  all  --  *      *        
> > 0.0.0.0/0            0.0.0.0/0
> >     0     0 ACCEPT     all  --  *      *        
> > 0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev- 
> > in eth1 ! --physdev-out eth1
> >     0     0 ACCEPT     all  --  *      *        
> > 0.0.0.0/0            0.0.0.0/0           PHYSDEV match ! --physdev- 
> > in eth1 --physdev-out eth1
> The big problem is in the FORWARD chain, the first rule in this  
> chain says jump to the chain RH-Firewall-1-INPUT and then the  
> subsequent rules are ignored.
> So for instance in my example system my domU is on bridged  
> interface vif3.0 in order add the ACCEPT iptables line *before* the  
> jump to RH-Firewall I had to drop that rule and then insert it back  
> in.
> iptables -D FORWARD -j RH-Firewall-1-INPUT
> iptables -A FORWARD -m physdev --physdev-in vif3.0 -j ACCEPT
> iptables -A FORWARD -j RH-Firewall-1-INPUT
>
> Same basic approach for you, just make sure your rules come before  
> the jump or drop that rule and then add it back in after the rule  
> changes are done.
> I modified my /etc/xen/scripts/vif-common.sh to do this for me.   
> The patch appeared in my last post.
> -Mike
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users