Xen project Mailing List

RE: [Xen-users] iptables problem

To: "'Sergey Smirnov'" <sergey.a.smirnov@xxxxxxxxx>, "'Ivan Lisenkov'" <ivan@xxxxxxxxx>

From: "Dustin Henning" <Dustin.Henning@xxxxxxxxxxx>

Date: Wed, 14 Oct 2009 11:51:11 -0400

Delivery-date: Wed, 14 Oct 2009 08:52:06 -0700

List-id: Xen user discussion <xen-users.lists.xensource.com>

Thread-index: AcpM5GaJ+FhsHVR/QICK/APx48FU+wAAUS5w

Depending on your security needs, and the constraints of your kernel, a simpler, potentially less resource-intensive solution might be adding this line to the iptables configuration: -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT I use this setup, but I manage all of the domUs on that machine, so they don't need restricted at the bridge level. Dustin From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Sergey Smirnov Sent: Wednesday, October 14, 2009 11:37 To: Ivan Lisenkov Cc: xen-users@xxxxxxxxxxxxxxxxxxx Subject: Re: [Xen-users] iptables problem Hi Ivan, maybe you should add the permanent rules in the bottom of your iptables configuration like this? - -A FORWARD --source domU_ip --jump ACCEPT -A FORWARD --destination domU_ip --jump ACCEPT so it will be works in any time without additional rules added by xen scripts. I use the same configuration. On Tue, Oct 13, 2009 at 2:31 PM, Ivan Lisenkov <ivan@xxxxxxxxx> wrote: Dear xen users, I am using xen 3.3.1 on opensuse 11.1. After creating a domU with 2 nics two iptables rules are created by default: -A FORWARD -s XX.XX.XX.24/32 -m physdev --physdev-in vif77.0 -j ACCEPT -A FORWARD -p udp -m physdev --physdev-in vif77.0 -m udp --sport 68 --dport 67 -j ACCEPT -A FORWARD -s XX.XX.XX.25/32 -m physdev --physdev-in vif77.1 -j ACCEPT -A FORWARD -p udp -m physdev --physdev-in vif77.1 -m udp --sport 68 --dport 67 -j ACCEPT The rules seems logical, but one of them does no work! I can't ping XX.XX.XX.24 from outside. But if I change the rule manulally to: -A FORWARD -s 188.40.226.24/32 -m physdev --physdev-in vif77.1 -j ACCEPT everything works. This seems unlogical, because first ip is bounded to second nic, but works. The problem is that I have to change the rules every I reboot domu. Any ideas how to fix it? _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users -- Serg Smirnov email/xmpp: Sergey.A.Smirnov@xxxxxxxxx _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.