Xen project Mailing List

Re: [Xen-users] IPtables working on domU but not dom0

From: Roman Klesel <roman_plonemail@xxxxxxxxxxxx>

Date: Thu, 02 Mar 2006 17:21:16 +0100

Delivery-date: Thu, 02 Mar 2006 18:12:35 +0000

List-id: Xen user discussion <xen-users.lists.xensource.com>

Hello Lyle, Xen schrieb: > Can someone send me an example of their IPtables configuration file for > dom0 so I can see how they have set it? > on my system dom0 acts as a gateway vor the domu that are in a /28. I'm no expert on this. But as far as I can tell, it works. I changed the real IP addresse to fantasy addresses: /sbin/iptables -P FORWARD DROP /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -t filter -F /sbin/iptables -t filter -X /sbin/iptables -t nat -F /sbin/iptables -t nat -X /sbin/modprobe ip_conntrack_ftp echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/iptables -N clean /sbin/iptables -A clean -p udp --dport 135:139 -j DROP /sbin/iptables -A clean -j LOG --log-prefix "Rejected " -m limit --limit 1/sec /sbin/iptables -A clean -p tcp -j REJECT --reject-with tcp-reset /sbin/iptables -A clean -p udp -j REJECT --reject-with icmp-port-unreachable /sbin/iptables -A clean -j DROP /sbin/iptables -A INPUT -j DROP -m state --state INVALID /sbin/iptables -A INPUT -j ACCEPT -i lo /sbin/iptables -A INPUT -j DROP -s 10.0.0.0/8 /sbin/iptables -A INPUT -j DROP -s 172.16.0.0/12 /sbin/iptables -A INPUT -j DROP -s 192.168.0.0/16 /sbin/iptables -A FORWARD -j DROP -m state --state INVALID /sbin/iptables -A FORWARD -j DROP -s 10.0.0.0/8 /sbin/iptables -A FORWARD -j DROP -s 172.16.0.0/12 /sbin/iptables -A FORWARD -j DROP -s 192.168.0.0/16 /sbin/iptables -A FORWARD -j ACCEPT -s 79.32.11.160/28 /sbin/iptables -N in_main /sbin/iptables -A in_main -j ACCEPT -m state --state ESTABLISHED,RELATED /sbin/iptables -A in_main -j ACCEPT -p icmp ! --icmp-type redir /sbin/iptables -N fwd_main /sbin/iptables -A fwd_main -j ACCEPT -m state --state ESTABLISHED,RELATED /sbin/iptables -A fwd_main -j ACCEPT -p icmp ! --icmp-type redir /sbin/iptables -A in_main -i eth0 -m multiport -s 21.34.1.62 -d 213.95.21.8 -p tcp --dport 22 -j ACCEPT /sbin/iptables -A in_main -i eth0 -m multiport -s 21.34.28.2 -d 213.95.21.8 -p tcp --dport 22 -j ACCEPT /sbin/iptables -A in_main -i eth0 -m multiport -s 79.32.11.160/28 -d 79.32.11.161 -p tcp --dport 111 -j ACCEPT /sbin/iptables -A in_main -j clean /sbin/iptables -A INPUT -j in_main /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.163 -p tcp --dport http,ftp -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.164 -p tcp --dport 8080,8090 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.165 -p tcp --dport http,https -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.162 -p tcp --dport smtp,imap2,imaps -j ACCEPT/sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.160/28 -p tcp --dport 22 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.166 -p tcp --dport 52456 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.166 -p tcp --dport 4661,4662 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -d 79.32.11.166 -p udp --dport 4665 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -s 21.34.1.62 -d 79.32.11.166 -p tcp --dport 4080,4001 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -s 21.34.28.2 -d 79.32.11.166 -p tcp --dport 4080,4001 -j ACCEPT /sbin/iptables -A fwd_main -i eth0 -m multiport -s 79.32.11.160/28 -j ACCEPT /sbin/iptables -A fwd_main -j clean /sbin/iptables -A FORWARD -j fwd_main Greetings Roman _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.