[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] dom0 firewall + domU virtual eth0:1

Hi again,

Is there a guide/wiki/howto for doing safe firewalling in dom0 ?

I have a domU which has two IP's.
It is configured like this in it's config file:

nics = 2
vif = [ 'ip=' , 'ip=' ]
gateway = ""
netmask = ""

ifconfig in domU shows both eth0 ( and eth0:1 (
configured OK.

'brctl show' in dom0  shows

bridge name     bridge id               STP enabled     interfaces
xen-br0         8000.006002123a08       no              eth0

My problem is I want to run iptables in dom0 to do some firewalling.
With just a single eth0 in domU this seesm fine. But If add another
virtual eth0:1 in domU, and then start up the firewall in dom0, the
networking in domU fails. It's like the bridging fails.

I notice 'xm create' puts the following iptables entries in

ACCEPT     all  --  anywhere  PHYSDEV match --physdev-in vif1.0
ACCEPT     udp  --  anywhere  anywhere  PHYSDEV match --physdev-in vif1.0 udp 
spt:bootpc dpt:bootps
ACCEPT     all  --  anywhere  PHYSDEV match --physdev-in vif1.1
ACCEPT     udp  --  anywhere  anywhere  PHYSDEV match --physdev-in vif1.1 udp 
spt:bootpc dpt:bootps

but if I restart iptable, or add any other rules the bridging fails.

Can anyone give any advice on how to do iptable firewalling in dom0
that won't affect the domU virtual interface brigding?


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.