[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] iptables in dom0 with bridge: no more outbound connections


  • To: Peter Fokkinga <peter@xxxxxxxxxxx>
  • From: Nico Kadel-Garcia <nkadel@xxxxxxxxx>
  • Date: Fri, 29 Dec 2006 16:40:21 +0000
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Fri, 29 Dec 2006 08:40:14 -0800
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=GfSr21D87rT9q99ygy/VBABlQukIbrvwcumZzxGE2zE+6hxnhINJUQmEJ1JHFkCkhwsY072MCMx4pHcR1qk5m65Xh7lAyTqPYmUyCCUlEqZKg7k2i+U5KZXcWm3VKWdLiQrRTBsdzx15zOLS5wHH7OPszh8630LZybyzuKRnn/A=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Peter Fokkinga wrote:
After successfully consolidating my servers at home with Xen I
wanted to do the same at work. Unfortunately, I ran into a
networking anomaly that baffles my mind...

What I'm looking for is a real simple setup: a dom0 and 4 domU's
that are all directly accessible; in other words, no NAT required,
each dom has a "real" (public) ip address in our 129.125. range
(that's University of Groningen, the Netherlands in case you're
wondering).

Even though I have no need for iptables to do NAT, I _do_ want
to protect each dom, including dom0, with its own firewall. And
here the problems start.

When I boot into dom0 (Xen 3.0.4 patched to kernel 2.6.16.36), but
without starting xend, things are fine (iptable rules are active
at this point). Yet, after I have started xend (and xenbr0 appears
in my ifconfig output) I am unable to make connections to remote
hosts (dns lookups fail, ping to ip addresses fail, etc). Strange!

Now for the real spooky part:
  1. I booted into dom0 (no xend)
  2. executed `telnet 129.125.14.12 daytime`, it works
  3. started xend
  4. executed `telnet 129.125.14.12 daytime`, it still works (surprise!)
  5. executed `telnet 129.125.14.13 daytime`, it does not work
DNS cache, I think.

Wierd, so I rebooted the machine and tried again except for step 2
and the result was the same. Two days later I tried another time
(again leaving out step 2) and now step 4 gives no response...

When I disable the firewall (iptables -F) everything is fine.

My minimal firewall script:
iptables -F
iptables -A INPUT -p tcp --dport ssh   -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

Another observation: with the above firewall in place I can ssh into
dom0, but it takes about 30 seconds to connect; without firewall it
is almost instantaneous.
Reverse DNS being attempted by Dom0 as part of SSHD logging, and failing. Try restarting the SSHD with the "-u0" option to turn this off.
Now I'm a programmer, not a network engineer. And I don't have a
clue how to go from here (i.o.w. I can run tcpdump, but don't know
what to look for). So suggestions are greatly appreciated!

Cheers, Peter
It's been discussed before: I haven't had a chance to pursue it, myself. Basically, after you start Xend, traffic going *out* from Dom0 goes through peth0, as near as I can tell, not eth0.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.