[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] dom0 iptables

To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Date: Tue, 5 May 2009 10:48:45 +0700
Delivery-date: Mon, 04 May 2009 20:49:24 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

On Tue, May 5, 2009 at 2:42 AM, Mark Chaney <macscr@xxxxxxxxxx> wrote:
> Ok, I am setting up a new dom0 at a colo provider and usually the colo
> facility acts as my gateway, but at this new one, the provider is
> recommending that I use the server as its own gateway. That unfortunately
> doesnt work to well when it comes to iptables and my domU's. IPtables do not
> support virtual interfaces, so I can't just white list them unfortunately.

If I recall correctly, xen network bridge whitelist domUs by default.
Something like

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-in vif2.0

You can use domU's vif interface as physdev. When setting up iptables
manually, it might be easier to use custom vif name using
"vifname=NAME" on vif line.

>
> I have tried these two rules, but no difference:
> iptables -I INPUT 1 -d 207.xxx.xxx.0/30 -j ACCEPT
> iptables -I OUTPUT 1 -s 207.xxx.xxx.0/30 -j ACCEPT

I believe that should be on FORWARD

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- [Xen-users] dom0 iptables
  - From: Mark Chaney

Prev by Date: Re: [Xen-users] Increasing network performance on Windows DomUs
Next by Date: [Xen-users] PV drivers for SCSI access ?
Previous by thread: [Xen-users] dom0 iptables
Next by thread: Re: [Xen-users] Increasing network performance on Windows DomUs
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.