[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] vif-common.sh and iptables

Hi Dmitry,

Dmitry Nedospasov wrote:
I have a question about vif-common.sh. I run multiple bridges attached
on dummy interfaces, which allow me to put guests in seperate subnets
(routed through the dom0). As you might expect I already have quite
extensive iptables scripts to accomidate this kind of routing.

I was just hoping someone on this list can confirm, that I understand
what the iptables lines in vif-common.sh actually do:

iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
  2>/dev/null &&
iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev
  --physdev-out "$vif" -j ACCEPT 2>/dev/null

From what i can tell the goal of these lines is to allow networking even
if the default FORWARD policy is DENY, am I right? Is there any
additional side-effect if I comment these lines out in vim-common.sh,
that I'm not considering?

That caused me issues and those settings were in place due to "anti-spoofing" setup.

I dropped anti-spoofing to "fix" my setup somewhat. Until I did that, I couldn't get to the DomU machines directly via the bridged interface.

Now I can get through, but there are still issues that are not resolved [1] -- sometimes I connect, sometimes I don't; I really need a fix for this.

[1]  http://comments.gmane.org/gmane.comp.emulators.xen.user/66214

Kind Regards

Andrew McGlashan
Broadband Solutions now including VoIP

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.