Xen project Mailing List

Re: [Xen-users] Has anyone successfully set up a dhcp/iptables firewall in dom0 NATing traffic from domU?

To: Juergen Schinker <ba1020@xxxxxxxxxxxxxxxxxxx>

From: Gareth Bult <gareth@xxxxxxxxxxxxx>

Date: Tue, 12 Feb 2008 12:21:21 +0000 (GMT)

Delivery-date: Tue, 12 Feb 2008 04:21:05 -0800

List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi, For what it's worth I've come to the conclusion that the best policy is to run *nothing* in the Dom0 above and beyond what you absolutely need. In my case, no iptables whatsoever and nothing listening on a public interface save ssh which is protected by hosts allow. (then run everything else on a second/private eth) There appears to be a rather nasty bug somewhere in the IP stack, I'm thinking it's in conntrak with regards to bridging with Xen in Dom0's, which ultimately causes lots of problems including machine lockouts. Since scrapping iptables I've not had a single lockup. (across 6 machines and 18 DomU's) [I'm working with kernels 2.6.2x] hth Gareth. ----- Original Message ----- step 3.: "Juergen Schinker" <ba1020@xxxxxxxxxxxxxxxxxxx> To: xen-users@xxxxxxxxxxxxxxxxxxx Sent: 12 February 2008 11:47:20 o'clock (GMT) Europe/London Subject: Re: [Xen-users] Has anyone successfully set up a dhcp/iptables firewall in dom0 NATing traffic from domU? > I've been struggling with this problem for a few days now perhaps someone here has had experience with this problem already. I am trying to set up a rack server lke this: > > dom0: iptables/dhcp > dom1: LAMP server > dom2: MAIL server > dom3: VNC vm for graphical admin and web tools > > Dom0 has one physical interface eth0 which receives a static ip, i have also set up a bridge called br0 that i have bound dnsmasq to in order to dole out ips to the domU's. The domU's are assigned a mac address and once they boot dhclient requests an ip over 192.168.0.1 which works well. Once the domU has booted I can ping the other domU's by ip and the br0 itself at 192.168.0.1 as well as accessing all the servers in the domUs in my internal network. I.e. I can hit the webserver in dom1 from dom3. I can also ping external sites by domain name like google.com. Unfortunately that is about all I can do. I cannot access any other form of net traffic from inside the domU, i.e I cannot access the web or rsync. My question is basically, is this a problem with Xen networking or is it a problem with > iptables? Both? > > - Rich > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users > > Yes here http://homie.homelinux.net/wordpress/?p=11 _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.