|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Re: Blocking DomU NetBios
Hi Ligesh,
On Thu, Feb 14, 2008 at 09:30:56PM +0530, Ligesh wrote:
> On Wed, Feb 13, 2008 at 06:59:45PM +0000, Andy Smith wrote:
> > You need to use --physdev since this is a bridge.
>
> Thanks a lot for the answer. The problem is that I am not seeing any packet
> at all going through in the forward chain.
It works for me, so our configurations must be different.
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP all -- any any anywhere anywhere
> PHYSDEV match --physdev-in vifxenv0
> 0 0 DROP all -- any any anywhere anywhere
> PHYSDEV match --physdev-in vifxenv0
What is vifxenv0?
With a rule like:
iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out v-foo
-j domu_foo_in
I see traffic from the outside world coming in to the domU on
interface v-foo and make it jump to a chain called domu_foo_in.
With:
iptables -A FORWARD -m physdev --physdev-in v-foo --physdev-out peth0
-j domu_foo_out
I see traffic from the domU on interface v-foo destined for outside
world.
There are some additional complications in matching dom0->domU and
domU->domU traffic.
What is your /proc/sys/net/bridge/bridge-nf-call-iptables set to?
It should be 1.
Cheers,
Andy
Attachment:
signature.asc _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |