|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] IPtables "ctstate RELATED,ESTABLISHED" are not working
Maik Brauer writes:
> after installing XEN 3.0.4-1 and setting up iptables for that, I've some
> problems with the ctstate traffic, which is
> blocked from IPtables. Below a short printout is available from my
> /var/log/kern.log:
> --------
> May 13 17:05:13 debian4 kernel: IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0
> MAC=00:13:8f:0f:5b:c7:00:04:0e:66:da:c8:08:00 SRC=172.16.76.15
> DST=172.16.76.99 LEN=117 TOS=0x00 PREC=0x00 TTL=64 ID=2091 PROTO=UDP
> SPT=53 DPT=32769 LEN=97
I recently upgraded to Xen 3.0.4-1, and encountered the same (or very similar)
problem.
May 13 12:51:25 elysium INPUT IN=eth0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0
MAC=00:0f:ea:43:13:6a:00:14:bf:94:c1:0f:08:00 SRC=199.7.66.1 DST=10.137.1.1
LEN=268 TOS=0x00 PREC=0x00 TTL=58 ID=62618 DF PROTO=UDP SPT=53 DPT=33689 LEN=248
My firewall rules are automatically generated (from a Haskell script), and
worked fine with the earlier version of Xen. The rules are a bit lengthy, so I
have appended a cut-down version of them at the end of this message (the omitted
rules deal with other ports, which should be irrelevant).
> So to avoid that the firewall will block the traffic though the bridge I
> can use the command:
>
> sysctl -w net.bridge.bridge-nf-call-iptables="0"
This also restores traffic for me - thank you.
> which is working. Then everthing is fine. But this is not the real
> solution. It should work without this.
> So my question is now, did I forget something or is this a known bug in XEN.
I have the same question.
> Is anybody who is sharing this problem with me
I think I am.
Tim
---
Chain INPUT (policy ACCEPT 507 packets, 83922 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN/FIN,SYN
7129 2290K ACCEPT all -- any any anywhere anywhere
state RELATED,ESTABLISHED
2 264 ACCEPT tcp -- eth0 any anywhere anywhere
tcp dpt:ssh limit: avg 3/sec burst 5
0 0 ACCEPT tcp -- eth0 any anywhere anywhere
tcp dpt:domain limit: avg 3/sec burst 5
68 4154 ACCEPT udp -- eth0 any anywhere anywhere
udp dpt:domain limit: avg 3/sec burst 5
266 15992 ACCEPT all -- lo any anywhere anywhere
/* Accept everything on loop back (lo) */
3 252 ACCEPT icmp -- any any anywhere anywhere
icmp echo-reply limit: avg 3/sec burst 5
1 88 ACCEPT icmp -- any any anywhere anywhere
icmp destination-unreachable limit: avg 3/sec burst 5
1 84 ACCEPT icmp -- any any anywhere anywhere
icmp echo-request limit: avg 3/sec burst 5
0 0 ACCEPT icmp -- any any anywhere anywhere
icmp time-exceeded limit: avg 3/sec burst 5
90 15357 LOG all -- any any anywhere anywhere
LOG level warning prefix `INPUT '
90 15357 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 823 packets, 631K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- any any anywhere anywhere
tcp flags:FIN,SYN/FIN,SYN
139 20954 ACCEPT all -- any any anywhere anywhere
state RELATED,ESTABLISHED
44 3112 ACCEPT all -- any any anywhere anywhere
PHYSDEV match --physdev-in vif0.0
0 0 ACCEPT all -- any any anywhere anywhere
PHYSDEV match --physdev-in rat.0
0 0 ACCEPT all -- any any anywhere anywhere
PHYSDEV match --physdev-in rat.0
0 0 ACCEPT all -- any any anywhere anywhere
PHYSDEV match --physdev-in pro.0
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:ssh PHYSDEV match --physdev-out vif0.0 limit: avg 3/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:domain PHYSDEV match --physdev-out vif0.0 limit: avg 3/sec
burst 5
1 57 ACCEPT udp -- any any anywhere anywhere
udp dpt:domain PHYSDEV match --physdev-out vif0.0 limit: avg 3/sec
burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:ssh PHYSDEV match --physdev-out rat.0 limit: avg 3/sec burst 5
0 0 ACCEPT tcp -- any any anywhere anywhere
tcp dpt:ssh PHYSDEV match --physdev-out pro.0 limit: avg 3/sec burst 5
0 0 ACCEPT icmp -- any any anywhere anywhere
icmp echo-reply limit: avg 3/sec burst 5
0 0 ACCEPT icmp -- any any anywhere anywhere
icmp destination-unreachable limit: avg 3/sec burst 5
3 252 ACCEPT icmp -- any any anywhere anywhere
icmp echo-request limit: avg 3/sec burst 5
0 0 ACCEPT icmp -- any any anywhere anywhere
icmp time-exceeded limit: avg 3/sec burst 5
9 1161 LOG all -- any any anywhere anywhere
LOG level warning prefix `FORWARD '
9 1161 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 470 packets, 560K bytes)
pkts bytes target prot opt in out source destination
7819 4710K ACCEPT all -- any any anywhere anywhere
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |