Xen project Mailing List

Re: [Xen-users] ssh issues on DomU

To: Andrew McGlashan <andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx>

From: Erwan RENIER <erwan.renier@xxxxxxxxxxx>

Date: Mon, 04 Apr 2011 00:52:59 +0200

Cc: Heiko Wundram <modelnine@xxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx

Delivery-date: Sun, 03 Apr 2011 15:54:30 -0700

List-id: Xen user discussion <xen-users.lists.xensource.com>

Le 01/04/2011 18:20, Andrew McGlashan a écrit :


Hi,

Heiko Wundram wrote:

Do you have any firewall in place that might be dropping connections ?

No, the closest thing would be the standard iptables rules on Dom0 ...
but it looks "okay" to me.


It isn't.

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.1
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif3.1
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif3.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in peth1


These rules basically say that any traffic coming in from anywhgere (the
outside) and being directed towards your DomU is only valid if it is
part of an existing connection (see the state RELATED,ESTABLISHED on the
physdev-out matches, which are driven by the stateful xtables match of
the Dom0 kernel), whereas the DomU is allowed to do any traffic (see the
physdev-in match).

The DomU machine can host a website, no problem. It can reply topings sent to it by another machine on the 192.168.1.0 network just fine.

does your cards eth0 and eth1 are on the same LAN ( on the same switch

), do you ping 192.168.1.201 or 192.168.10.201 ?

ssh works fine for the 192.168.10.201 going through Dom0 in the samemanner as http [modem / forwarding -- modem is on 192.168.10.0 network].

because it pass through eth1

So, ssh is different from _other_ traffic types for some reason.

The Dom0 is allowed to do traffic to all DomUs, because the packets the
Dom0 generates go through INPUT and OUTPUT, but not through FORWARD. You
might want to check the iptables generation on your Dom0.

I didn't craft the iptables rules on Dom0, it is standard installationwith bridged networking setup -- okay, I had to mod the network scriptfor xen, but I didn't fiddle with any iptables rules.

Your first post mention that you can't connect via ssh through eth0 bridge,

There's no rules to accept incoming packet via this interface in FORWARD

table, allthought it might work via eth1.

I suggest you to test by issuing this command on Dom0 : iptables -P FORWARD ACCEPT retry ssh and then revert back : iptables -P FORWARD DROP if it don't work can you post the output of "brctl show" on Dom0 ? And the output of : netstat -an |grep 'LISTEN' on DomU. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.