[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Problem start iptables - udp broken


  • To: "Torsten Lehmann" <tlehmann@xxxxxxxxxxxxx>
  • From: "Abel Martín" <abel.martin.ruiz@xxxxxxxxx>
  • Date: Wed, 29 Nov 2006 12:57:46 +0100
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Wed, 29 Nov 2006 03:57:59 -0800
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=SxVOr7BiSQs6WLot2E3tfU9R2qQEC+wFloDUxcKV0In8+gyhYxB+8QyMb0HKCEuCEMgep7/gpxzRQ6LprGCDeGv8XKi5tDFp/eys3PbtMVEmneGF0E6+ZA8jNu8LeTYVP3H+1OXrHPjDA7TmgPO7T/DIUnkmUjC0ANRaj/VEIEs=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

On 11/29/06, Torsten Lehmann <tlehmann@xxxxxxxxxxxxx> wrote:
did I understand it correctly?
I can on Dom0 filter packets to Dom1, when iptables bind to Dom0:peth0
or Dom0:vif1.0 .



           Dom0  Dom1
           ----  ----

                  eth0
                   |
           eth0  vif1.0
             |     |
           -------------... Bridge
           |
         peth0
           |


if iptables run without "-i dev", default will bind to eth0.
It sees no packets from peth0 to Dom1:eth0.

If you want to filter traffic for domU in dom0 I would do something
similar to what is recommended on Xen Networking wiki with a slight
difference.

# create a chain for rules for your domU
iptables -N domU

# process domU rules if traffic enters/leaves physical net device eth0
but doesn't leaves/enters it
iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j domU
iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0  -j domU

# create specific rules for your domU
iptables -A domU -m udp -p udp --sport 1024:65535 --dport 2049
--source $trusted_IPs --destination $NFS_IP -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A domU -m udp -p udp --destination $trusted_IPs --source
$NFS_IP --sport 2049 --dport 1024:65535 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A domU -j DROP

I've tested this rules with netcat and it works on my machine,
although they don't prevent accessing any service in domU from dom0.
Don't know if your problem has to do with ip_conntrack or NFS itself.
I'm using Xen 2.6.18 in a Debian Sid box.

A curious thing that I found is that running tcpdump in dom0's bridge
or eth0 only show incoming packets, as you mentioned before.
Surprisingly the same applies to vif1.0. The traffic flows in both
directions, though. Maybe a libpcap or tcpdump problem? So tcpdump
might not be the right tool to analyze this problem.

Watch out if you have rules in PREROUTING, FORWARD and POSTROUTING
chains, as stated in:
http://wiki.xensource.com/xenwiki/XenNetworking#head-602e26cd4a03b992f3938fe1bea03fa0fea0ed8b
The script you're executing might not suit your needs.




On xenwiki/XenNetworking i found docu to configuration "bridging" and
"routing".
Where find I information too Pro and Contra?  (bridging vs. routing)

Bridging is the default networking setup for Xen. I've never worked
with routed networking in Xen, so I can't give you any useful opinion.

Regards.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.