Xen project Mailing List

Re: [Xen-users] Problem start iptables - udp broken

To: Abel Martín <abel.martin.ruiz@xxxxxxxxx>

From: Torsten Lehmann <tlehmann@xxxxxxxxxxxxx>

Date: Wed, 29 Nov 2006 08:50:27 +0100 (CET)

Cc: xen-users@xxxxxxxxxxxxxxxxxxx, PAINCHAUD Christophe <cpainchaud@xxxxxxxxxxx>

Delivery-date: Wed, 29 Nov 2006 01:47:42 -0800

List-id: Xen user discussion <xen-users.lists.xensource.com>

On Tue, 28 Nov 2006, [ISO-8859-1] Abel Mart�n wrote: .... > I forgot to ask you. Are you trying to filter traffic for domU in > dom0? If you are trying to do this with iptables and Xen bridged > networking it has no sense, since a bridged device is a link layer > device and iptables works above at network and trasport layer. If you > are using Xen routed networking I have no experience with such > configuration. Oh yes... I also assumed so far eth0 sees everything. Now i read xenwiki/XenNetworking and understand...perhaps. (see question in my reply on "11/28/06, Bill Maidment") iptables-rules was not bind expilizit to an interface. ...lamp ligths on... I also tested which is, if I bind iptables expilizit an peth0. --------------------------------------------------------------------- EXTIF="peth0" $IPTABLES -i $EXTIF -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j LOG $LOG_LEVEL --log-prefix "IN test: " $IPTABLES -i $EXTIF -A INPUT -p tcp -s 0/0 -m multiport --dport 23 -j DROP $IPTABLES -i $EXTIF -A FORWARD -p tcp -s 0/0 -d 193.123.123.86 -m multiport --dport 23 -j LOG $LOG_LEVEL --log-prefix "fw nas: " $IPTABLES -i $EXTIF -A FORWARD -p tcp -s 0/0 -d 193.123.123.86 -m multiport --dport 23 -j DROP --------------------------------------------------------------------- - l0:vif2.0 and l1:eth0 captured to same time only - testcommand: $ ls -laR ~ l0:~# tcpdump -vv -n -i peth0 host nfsserver and udp 08:02:47.777591 IP (tos 0x0, ttl 255, id 38933, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.803770947: reply ok 112 getattr DIR 7 55 ids 1104/110 [|nfs] 08:02:47.778281 IP (tos 0x0, ttl 64, id 13432, offset 0, flags [DF], length: 140) 193.123.123.86.820548163 > 193.123.123.85.2049: 112 access [|nfs] 08:02:47.778517 IP (tos 0x0, ttl 255, id 38934, offset 0, flags [DF], length: 148) 193.123.123.85.2049 > 193.123.123.86.820548163: reply ok 120 access attr: DIR 755 ids 1104/110 [|nfs] 08:02:47.779239 IP (tos 0x0, ttl 64, id 13433, offset 0, flags [DF], length: 160) 193.123.123.86.837325379 > 193.123.123.85.2049: 132 readdirplus [|nfs] 08:02:47.780179 IP (tos 0x0, ttl 255, id 38935, offset 0, flags [+, DF], length: 1500) 193.123.123.85.2049 > 193.123.123.86.837325379: reply ok 1472 readdirp lus POST: DIR 755 ids 1104/110 [|nfs] 08:02:47.780198 IP (tos 0x0, ttl 255, id 38935, offset 1480, flags [DF], length: 116) 193.123.123.85 > 193.123.123.86: udp 08:02:49.368860 IP (tos 0x0, ttl 64, id 13434, offset 0, flags [DF], length: 160) 193.123.123.86.837325379 > 193.123.123.85.2049: 132 readdirplus [|nfs] 08:02:49.369606 IP (tos 0x0, ttl 255, id 38936, offset 0, flags [+, DF], length: 1500) 193.123.123.85.2049 > 193.123.123.86.837325379: reply ok 1472 readdirp lus POST: DIR 755 ids 1104/110 [|nfs] 08:02:49.369631 IP (tos 0x0, ttl 255, id 38936, offset 1480, flags [DF], length: 116) 193.123.123.85 > 193.123.123.86: udp 08:02:52.568438 IP (tos 0x0, ttl 64, id 13435, offset 0, flags [DF], length: 160) 193.123.123.86.837325379 > 193.123.123.85.2049: 132 readdirplus [|nfs] 08:02:52.569225 IP (tos 0x0, ttl 255, id 38937, offset 0, flags [+, DF], length: 1500) 193.123.123.85.2049 > 193.123.123.86.837325379: reply ok 1472 readdirp lus POST: DIR 755 ids 1104/110 [|nfs] 08:02:52.569245 IP (tos 0x0, ttl 255, id 38937, offset 1480, flags [DF], length: 116) 193.123.123.85 > 193.123.123.86: udp ## vif="vif`xm list | grep vm3 | awk '{ print $2}'`.0" l0:~# tcpdump -vv -n -i vif2.0 host nfsserver and udp 08:03:18.118795 IP (tos 0x0, ttl 64, id 16811, offset 0, flags [DF], length: 140) 193.123.123.86.1626706499 > 193.123.123.85.2049: 112 access [|nfs] 08:03:18.119052 IP (tos 0x0, ttl 255, id 42340, offset 0, flags [DF], length: 148) 193.123.123.85.2049 > 193.123.123.86.1626706499: reply ok 120 access attr: DIR 755 ids 1104/110 [|nfs] 08:03:18.119796 IP (tos 0x0, ttl 64, id 16812, offset 0, flags [DF], length: 136) 193.123.123.86.1643483715 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.120072 IP (tos 0x0, ttl 255, id 42341, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1643483715: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.120813 IP (tos 0x0, ttl 64, id 16813, offset 0, flags [DF], length: 136) 193.123.123.86.1660260931 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.121081 IP (tos 0x0, ttl 255, id 42342, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1660260931: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.121790 IP (tos 0x0, ttl 64, id 16814, offset 0, flags [DF], length: 136) 193.123.123.86.1677038147 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.122050 IP (tos 0x0, ttl 255, id 42343, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1677038147: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.122710 IP (tos 0x0, ttl 64, id 16815, offset 0, flags [DF], length: 136) 193.123.123.86.1693815363 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.122969 IP (tos 0x0, ttl 255, id 42344, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1693815363: reply ok 112 getattr REG 755 ids 1104/110 [|nfs] 08:03:18.123604 IP (tos 0x0, ttl 64, id 16816, offset 0, flags [DF], length: 136) 193.123.123.86.1710592579 > 193.123.123.85.2049: 108 getattr [|nfs] 0) 193.123.123.85.2049 > 193.123.123.86.1710592579: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.125002 IP (tos 0x0, ttl 64, id 16817, offset 0, flags [DF], length: 136) 193.123.123.86.1727369795 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.125249 IP (tos 0x0, ttl 255, id 42346, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1727369795: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.125899 IP (tos 0x0, ttl 64, id 16818, offset 0, flags [DF], length: 136) 193.123.123.86.1744147011 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.126161 IP (tos 0x0, ttl 255, id 42347, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1744147011: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.126794 IP (tos 0x0, ttl 64, id 16819, offset 0, flags [DF], length: 136) 193.123.123.86.1760924227 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.127053 IP (tos 0x0, ttl 255, id 42348, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1760924227: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.127759 IP (tos 0x0, ttl 64, id 16820, offset 0, flags [DF], length: 136) 193.123.123.86.1777701443 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.128021 IP (tos 0x0, ttl 255, id 42349, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1777701443: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.128688 IP (tos 0x0, ttl 64, id 16821, offset 0, flags [DF], length: 136) 193.123.123.86.1794478659 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.128950 IP (tos 0x0, ttl 255, id 42350, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1794478659: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.129660 IP (tos 0x0, ttl 64, id 16822, offset 0, flags [DF], length: 136) 193.123.123.86.1811255875 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.129919 IP (tos 0x0, ttl 255, id 42351, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1811255875: reply ok 112 getattr REG 644 ids 1104/110 [|nfs] 08:03:18.131141 IP (tos 0x0, ttl 64, id 16823, offset 0, flags [DF], length: 136) 193.123.123.86.1828033091 > 193.123.123.85.2049: 108 getattr [|nfs] l1:~# tcpdump -vv -n -i eth0 host nfsserver and udp 08:03:18.118610 IP (tos 0x0, ttl 255, id 42339, offset 0, flags [DF], length: 140) 193.123.123.85.2049 > 193.123.123.86.1609929283: reply ok 112 getattr DIR 755 ids 1104/110 [|nfs] 08:03:18.118752 IP (tos 0x0, ttl 64, id 16811, offset 0, flags [DF], length: 140) 193.123.123.86.1626706499 > 193.123.123.85.2049: 112 access [|nfs] 08:03:18.119404 IP (tos 0x0, ttl 255, id 42340, offset 0, flags [DF], length: 148) 193.123.123.85.2049 > 193.123.123.86.1626706499: reply ok 120 access attr: DIR 755 ids 1104/110 [|nfs] 08:03:18.119745 IP (tos 0x0, ttl 64, id 16812, offset 0, flags [DF], length: 136) 193.123.123.86.1643483715 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.120688 IP (tos 0x0, ttl 64, id 16813, offset 0, flags [DF], length: 136) 193.123.123.86.1660260931 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.121740 IP (tos 0x0, ttl 64, id 16814, offset 0, flags [DF], length: 136) 193.123.123.86.1677038147 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.122663 IP (tos 0x0, ttl 64, id 16815, offset 0, flags [DF], length: 136) 193.123.123.86.1693815363 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.123557 IP (tos 0x0, ttl 64, id 16816, offset 0, flags [DF], length: 136) 193.123.123.86.1710592579 > 193.123.123.85.2049: 108 getattr [|nfs] 08:03:18.377483 IP (tos 0x0, ttl 64, id 16828, offset 0, flags [DF], length: 160) 193.123.123.86.1895141955 > 193.123.123.85.2049: 132 readdirplus [|nfs] 08:03:18.865407 IP (tos 0x0, ttl 64, id 16829, offset 0, flags [DF], length: 160) 193.123.123.86.1895141955 > 193.123.123.85.2049: 132 readdirplus [|nf --------------------------------------------------------------------------- - If one has very much time, then one sees also from time to time any packets in both directions.... -> udp-packets not blocked generally. - Why the knot only solved after that to remove the module ip_conntrack? - to reproduce this problem is sufficient: # modprobe ip_conntrack > > Or maybe you are trying to run iptables on domU... Please, provide this info. > unpractically. Server is in productive use. (i must also to compile modules and new a kernel and reboot all VM) regards Torsten launoc _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.