Re: [Xen-users] iptables problem

[Sergey Smirnov <sergey.a.smirnov@xxxxxxxxx>]

Hi Ivan,

maybe you should add the permanent rules in the bottom of your iptables configuration like this? -

-A FORWARDÂ--sourceÂdomU_ipÂ--jumpÂACCEPT

-A FORWARDÂ--destinationÂdomU_ipÂ--jumpÂACCEPT

so it will be works in any time without additional rules added by xen scripts.

I use the same configuration.

On Tue, Oct 13, 2009 at 2:31 PM, Ivan Lisenkov <ivan@xxxxxxxxx> wrote:

Dear xen users,

I am using xen 3.3.1 on opensuse 11.1. After creating a domU with 2 nics two iptables rules are created by default:

-A FORWARD -s XX.XX.XX.24/32 -m physdev --physdev-in vif77.0 -j ACCEPT
-A FORWARD -p udp -m physdev --physdev-in vif77.0 -m udp --sport 68 --dport 67 -j ACCEPT
-A FORWARD -s XX.XX.XX.25/32 -m physdev --physdev-in vif77.1 -j ACCEPT
-A FORWARD -p udp -m physdev --physdev-in vif77.1 -m udp --sport 68 --dport 67 -j ACCEPT

The rules seems logical, but one of them does no work! I can't ping XX.XX.XX.24 from outside. But if I change the rule manulally to:

-A FORWARD -s 188.40.226.24/32 -m physdev --physdev-in vif77.1 -j ACCEPT

everything works. This seems unlogical, because first ip is bounded to second nic, but works. The problem is that I have to change the rules every I reboot domu.

Any ideas how to fix it?


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

-- 
Serg Smirnov
email/xmpp: Sergey.A.Smirnov@xxxxxxxxx

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users