[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] IPTABLES on Xen


  • To: Tapas Mishra <tapas@xxxxxxxxxxxx>
  • From: Paolo <paolovictor@xxxxxxxxx>
  • Date: Tue, 1 Dec 2009 14:04:47 -0200
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx, Tait Clarridge <tait@xxxxxxxxxxxx>
  • Delivery-date: Tue, 01 Dec 2009 08:05:49 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=QpQS7WEmWgF+7Y0/sM8gcacWnJFeKBI74MtqqYtUvO/p2A4zcsUecX6ZNt6BGK1vMR v5pxnIdea3wfxkeQESntG3Ngd3JxEDmfarNx5+KIniNqUcL5hzk+LV3smxv9uZaCC8SW ccF9TsDdMB0eLvlMd4aNrz8YXBa64aUWY7LZw=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

I had a similar problem a couple days ago. I had this network layout:

DHCP Server <-> Switch <-> Host

Somehow, I could ssh from the DHCP server to a DomU at the host, but
not on the other way around. A friend of mine suggested checking the
routing table at the Host's Dom0, and it was:

root@aramis:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 peth0
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 peth0

Where 10.0.0.1 is the DHCP server's IP address. eth0 is the host's
network interface that's connected to the switch.

It seemed strange, so I've started toying around and deleted the
entries for the peth0:

route del -net 0.0.0.0 dev peth0
route del -net 10.0.0.0 dev peth0

And lo and behold, now the DomU could access the Internet (ping
google, etc). Thinking of it now, I didn't remove/disable the network
managers (I'm using Ubuntu), so that may be the source of the problem.

I hope this helps,
Paolo

On Tue, Dec 1, 2009 at 1:55 PM, Tapas Mishra <tapas@xxxxxxxxxxxx> wrote:
>
> I am now back to the original problem where the Xen machine is able to
> ping other machines on network
> here is the output from of the Xen machine the issue started with ssh
> [root@localhost ~]# netstat -tualp | grep 22
> tcp        0      0 localhost.localdomain:2208  *:*
>     LISTEN      2594/hpiod
> tcp        0      0 192.168.122.1:domain        *:*
>     LISTEN      2829/dnsmasq
> tcp        0      0 localhost.localdomain:2207  *:*
>     LISTEN      2599/python
> tcp        0      0 192.168.1.84:58022
> qw-in-f83.1e100.net:http    ESTABLISHED 4056/firefox
> udp        0      0 192.168.122.1:domain        *:*
>                 2829/dnsmasq
>
>
> So it is clear that port 22 is not open here but I have not enabled
> firewall and not disabled ICMP echo still it is not able reply back I
> am able to have outgoing ssh/ping from Xen machine but any incoming
> ssh/ping is notworking while if you read above replies in the thread I
> was able to this Xen machine from my LAN but then it was not able to
> access internet
> Once again I am doing it from start here is what iptables on this machine say
>
> [root@localhost ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
> ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
> ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             192.168.122.0/24    state
> RELATED,ESTABLISHED
> ACCEPT     all  --  192.168.122.0/24     anywhere
> ACCEPT     all  --  anywhere             anywhere
> REJECT     all  --  anywhere             anywhere
> reject-with icmp-port-unreachable
> REJECT     all  --  anywhere             anywhere
> reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> [root@localhost ~]#
>
> Now what ?
> On Tue, Dec 1, 2009 at 7:40 AM, Tapas Mishra <tapas@xxxxxxxxxxxx> wrote:
> > I have resolved this probblem here is what I did
> > I added to /etc/sysconfig/network-scripts/ifcfg-eth0
> > PEERDNS=no
> > DNS1=XXX.XXX.XXX.XXX (that is my gateway)
> >
> > But still I am wondering why did it happned
> > ssh and everything else including internet is working fine on the Xen 
> > machine
> > On Tue, Dec 1, 2009 at 7:00 AM, Tait Clarridge <tait@xxxxxxxxxxxx> wrote:
> >>
> >>> Yes the problem is happening when using the normal kernel also
> >>> I checked /etc/resolv.conf
> >>> and the nameserver entry there is wrong it should be 4.2.2.6 but each
> >>> time I manually edit it is still taking it from ADSL router.
> >>
> >> Do you have NetworkManager running? If so, stop it and disable it:
> >>
> >> If you are running CentOS you should be able to change the ifcfg-eth*
> >> scripts in /etc/sysconfig/network-scripts to not automatically set DNS
> >> according to the gateway.
> >>
> >> In the ifcfg-ethX (where X is the interface number that your server is
> >> connected to the network, eg eth0) file you can add PEERDNS=no to stop
> >> it from overwriting the DNS entries.
> >>
> >
> >
> >
> > --
> >
> > http://www.abhitech.com
> >
>
>
>
> --
>
> http://www.abhitech.com
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.