[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] ssh issues on DomU

Le 01/04/2011 18:20, Andrew McGlashan a écrit :


Heiko Wundram wrote:
Do you have any firewall in place that might be dropping connections ?
No, the closest thing would be the standard iptables rules on Dom0 ...
but it looks "okay" to me.

It isn't.

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.1
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif3.1
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif3.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in peth1

These rules basically say that any traffic coming in from anywhgere (the
outside) and being directed towards your DomU is only valid if it is
part of an existing connection (see the state RELATED,ESTABLISHED on the
physdev-out matches, which are driven by the stateful xtables match of
the Dom0 kernel), whereas the DomU is allowed to do any traffic (see the
physdev-in match).

The DomU machine can host a website, no problem. It can reply to pings sent to it by another machine on the network just fine.
does your cards eth0 and eth1 are on the same LAN ( on the same switch ), do you ping or ?
ssh works fine for the going through Dom0 in the same manner as http [modem / forwarding -- modem is on network].
because it pass through eth1
So, ssh is different from _other_ traffic types for some reason.

The Dom0 is allowed to do traffic to all DomUs, because the packets the
Dom0 generates go through INPUT and OUTPUT, but not through FORWARD. You
might want to check the iptables generation on your Dom0.

I didn't craft the iptables rules on Dom0, it is standard installation with bridged networking setup -- okay, I had to mod the network script for xen, but I didn't fiddle with any iptables rules.

Your first post mention that you can't connect via ssh through eth0 bridge,
There's no rules to accept incoming packet via this interface in FORWARD table, allthought it might work via eth1.
 I suggest you to test by issuing this command on Dom0 :


retry ssh

and then revert back :

iptables -P FORWARD  DROP

if it don't work can you post the output of "brctl show" on Dom0 ?
And the output of :
netstat -an |grep 'LISTEN'
on DomU.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.