[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Networking with a subnet (new issue)



Well now we're moving along...

Maybe this question would be better answered in the netfilter list, but I 
thought I'd try here first..  with the same scenario I described below, I 
enabled "antispoofing" and things broke when trying to get anywhere past the 
dom0.  I can get between the domU and dom) just fine, but the domU can't get 
out to the Internet.

It seems that once things get past pdummy0, they are getting blocked at dummy0.

iptables is logging the following types of dropped packets.

outbound test:
Jul 29 10:42:15 xxx kernel: IN=dummy0 OUT=eth1 SRC=domUIP DST=externalIP LEN=60 
TOS=0x00 PREC=0x00 TTL=63 ID=28148 DF PROTO=TCP SPT=40749 DPT=80 WINDOW=5840 
RES=0x00 SYN URGP=0

inbound test:
Jul 29 10:46:40 xxx kernel: IN=eth1 OUT=dummy0 SRC=externalIP DST=domUIP LEN=60 
TOS=0x00 PREC=0x00 TTL=111 ID=35261 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=8260


where domUIP is the IP address of my domU, and externalIP is an IP address of 
something outside of my network.

I'm not sure how I can premit these packets to go through without compromising 
the anti spoofing setup... if I accept everything that is coming in from dummy0 
or going out through eth1, won't that pretty much un-do what the anti spoofing 
chains did?

Once again, any suggestions or pointers will be helpful.. :)

This is my current iptables setup

# /sbin/iptables -L -v -n
Chain INPUT (policy ACCEPT 4586 packets, 402K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0   
        udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0   
        tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0   
        udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0   
        tcp dpt:67

Chain FORWARD (policy DROP 130 packets, 7936 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match --physdev-in pdummy0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match --physdev-in vif0.1
    0     0 ACCEPT     all  --  *      *       dom0IP               0.0.0.0/0   
        PHYSDEV match --physdev-in vif1.0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        PHYSDEV match --physdev-in vif1.0 udp spt:68 dpt:67
  274 21408 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 4266 packets, 672K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain LOGDROP (1 references)
 pkts bytes target     prot opt in     out     source               destination
  274 21408 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        LOG flags 0 level 4
  274 21408 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0



----- Original Message -----
From: "Kristofer" <kristofer@xxxxxxxxxxxxxx>
To: "Kristofer" <kristofer@xxxxxxxxxxxxxx>
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Sent: Tuesday, July 29, 2008 12:47:42 AM GMT -06:00 US/Canada Central
Subject: Re: [Xen-users] Networking with a subnet

Well I feel completely stupid.  After a few days of messing with  
this.... I shouldn't even admit how dumb this was.

I have a /29.. I was using .240 on the dummy0 interface on dom0.. Uhh,  
yeah.. I can't do math and realize that .240 was the network  
address. :-\

Oops.  Setting dummy0 to .241, which is the correct first address of  
the subnet, and things are now routing.

*sigh*



On Jul 28, 2008, at 8:23 PM, Kristofer wrote:

> I have been trying for a couple days to try to get this to work, and  
> I'm stumped.  I've seen wiki's on how people do it, but I must  
> completely be missing something.
>
> My provider gives me two network connections:
>
> eth0: private
> eth1: public
>
> My eth1 interface has a /29, and I am also getting an additional /29  
> routed to me (so they are routing it to the IP address that is set  
> on my eth1 interface).  So I have two /29's, one which is currently  
> bound to eth1 (subnet A), and one which is just routed to me and not  
> bound (subnet B).  I only want to use one of these /29's for  
> domU's.. the one that is being routed to me (subnet B)
>
> I want to bridge subnet B with my Xen domU's.  I took one IP from  
> subnet B and assigned it to "dummy0", and I can ping it from the  
> outside world, bind to it and make connections outbound, and all is  
> well.
>
> However, I cannot get DomU's to communicate with anything (not even  
> the dom0) if they use an IP address from subnet B.
>
> "brctl status" shows that xenbr1 is connected to vif0.1 and pdummy,  
> and that vif1.0 is also bound to it.
>
> bridge name     bridge id               STP enabled     interfaces
> virbr0          8000.000000000000       yes
> xenbr1          8000.feffffffffff       no              vif1.0
>                                                        pdummy0
>                                                        vif0.1
>
> Now, given that I am trying to do a network install of CentOS on the  
> guest, I can't actually get into the shell and do an "ifconfig" or a  
> "tcpdump" as I don't have any domU's that are created that I can  
> attach to a console, so my troubleshooting is limited to the dom0  
> side.
>
> I've check iptables, and nothing is set to be dropped/rejected.
>
> xenbr1    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>          RX packets:60 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:10140 (9.9 KiB)  TX bytes:0 (0.0 b)
>
> vif1.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:32
>          RX bytes:412 (412.0 b)  TX bytes:1008 (1008.0 b)
>
> pdummy0   Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:0 (0.0 b)  TX bytes:9276 (9.0 KiB)
>
> dummy0    Link encap:Ethernet  HWaddr B6:CE:E7:E8:3E:9C
>          inet addr:208.x.x.x  Bcast:208.x.x.x  Mask:255.255.255.248
>          inet6 addr: fe80::b4ce:e7ff:fee8:3e9c/64 Scope:Link
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:0 (0.0 b)  TX bytes:9462 (9.2 KiB)
>
> tcpdump's are not showing any traffic on xenbr1, vif1.0, pdummy0, or  
> dummy0.  I'm not even sure if tcpdump will show anything on  
> interfaces like that.  I am also showing nothing on eth1 for  
> anything coming from this domU I am trying to install.
>
> I'm at a loss?
>
>
> Kristofer
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.