Re: [Xen-users] XEN 3.0.4-1 / Iptables is not working properly

[Christo Buschek <crito@xxxxxxxxxx>]

Hello Maik.

I don't really have an explanation for you, but for me to make iptables
work I had to run 'ethtool -K eth0 tx off' inside the vm and dom0 on the
device. That made iptables work for me.

Maybe it also helps you.

greetinx
Christo

On Thu, 2007-04-19 at 09:18 +0200, Maik Brauer wrote:
> Hello,
> 
> I've installed XEN3.0.4-1 and problems with the IPtables settings.
> Please see below the firewall settings for Domain0:
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     0    --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             mbs-rootsrv         tcp dpt:ssh
> ACCEPT     0    --  anywhere             anywhere            ctstate 
> RELATED,ESTABLISHED
> LOG        0    --  anywhere             anywhere            LOG level 
> warning
> DROP       0    --  anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> But then for example connection which are related to a server request 
> (DNS requests / port53, etc) will be blocked by the firewall.
> Here is an example of an request:
> Apr 19 09:06:19 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32803 LEN=53
> Apr 19 09:06:20 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=26.104.239.90 
> DST=88.198.xx.xx LEN=393 TOS=0x00 PREC=0x00 TTL=55 ID=44193 PROTO=UDP 
> SPT=31178 DPT=1026 LEN=373
> Apr 19 09:06:24 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32804 LEN=53
> Apr 19 09:06:27 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.100.100 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32805 LEN=53
> Apr 19 09:06:33 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.99.99 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32803 LEN=53
> Apr 19 09:06:38 rootsrv kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 
> MAC=00:e4:3c:65:37:37:03:02:85:1a:e2:e0:08:00 SRC=213.133.98.98 
> DST=88.198.xx.xx LEN=73 TOS=0x00 PREC=0x00 TTL=60 ID=0 DF PROTO=UDP 
> SPT=53 DPT=32804 LEN=53
> 
> 
> When I flush the Iptables or I will put in each request then everthing 
> is working fine. But you never now which server will answer to a 
> request, so it is
> impossible to configure all ip-addresses. This should be done due to the 
> line: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> which is unfortunately not working.
> 
> What is the problem and the solution ?
> Many Thanks.
> 
> Kind Regards,
> Maik Brauer
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users