[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] iptables in dom0 with bridge: no more outbound connections


  • To: Peter Fokkinga <peter@xxxxxxxxxxx>
  • From: Nico Kadel-Garcia <nkadel@xxxxxxxxx>
  • Date: Sat, 30 Dec 2006 18:21:04 +0000
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Sat, 30 Dec 2006 10:20:57 -0800
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=AoJubLvV4ZJf296ubt3CkGZp4P19SXDnkwd2gY1ZCeYyvd3bSVvmHazk+kI/FcaRRrXWKWfQGl/viZ+1GDUTLgyJhsqob80OesCVqsTI7zQjZ/qrI6eaB3xJclk1Ew4bP8mRuxAAQCqvLx/nzM2iDFav/aLUKfWRNjcoVgTVLtU=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Peter Fokkinga wrote:
Quoting Nico Kadel-Garcia <nkadel@xxxxxxxxx>:
Peter Fokkinga wrote:
[...]
Now for the real spooky part:
 1. I booted into dom0 (no xend)
 2. executed `telnet 129.125.14.12 daytime`, it works
 3. started xend
 4. executed `telnet 129.125.14.12 daytime`, it still works (surprise!)
 5. executed `telnet 129.125.14.13 daytime`, it does not work
DNS cache, I think.

But I'm using ip adresses, not names? I don't see how DNS fits in
this picture.
I can't swear to this, but when you use anything to reach out to the net, it assumes first that the word or name is a hostname, and tries to look that up. It resolves IP addresses as IP addresses, and DNS names as IP addresses, and then has to turn that into appropriate local or gateway MAC addresses based on ARP data, etc., etc., etc. DNS caches store the information locally, so no additional lookups happen. If it's not stored locally in your DNS cache, then it tries to do a DNS lookup, and in your case fails as it tries to look up 129.154.14.13 from your DNS system.

I don't think a numerical hostname is first resolved as a number, for a whole bunch of historical and procedural reasons. It still does DNS the first time.
It's been discussed before: I haven't had a chance to pursue it,
myself. Basically, after you start Xend, traffic going *out* from Dom0
goes through peth0, as near as I can tell, not eth0.

Ok, but why is iptables interfering? I'm not refering to eth0 in
my rules. If I flush iptables after starting Xend everything is fine,
troubles start the moment I re-activate the rules.
I think because when Xen is running, it's not going through eth0. It's going through peth0.

I get the feeling iptables does not remember its state, so my rule
  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
has no effect. Kernel modules xt_state and ip_conntrack are loaded.

Peter


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.