[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] ssh issues on DomU



  -- re-sending, I've still got this problem of connections sometimes
  working and sometimes not.  I can try repeatedly without changing
  any settings and sometimes it will finally work.

  Extra info added.
  -----------------------------------------------------------

Hi,

Andrew McGlashan wrote:
These rules basically say that any traffic coming in from anywhgere (the
outside) and being directed towards your DomU is only valid if it is
part of an existing connection (see the state RELATED,ESTABLISHED on the
physdev-out matches, which are driven by the stateful xtables match of
the Dom0 kernel), whereas the DomU is allowed to do any traffic (see the
physdev-in match).

Okay, I turned off anti spoofing in the xen network bridge setup; now it works -- however, sometimes I need to try a few times before it connects.

Anti spoofing set the default FORWARD policy to DROP.

 -- extra info below this line --

Dom0
====

[Output edited for readability]

#  iptables -L
Chain INPUT (policy ACCEPT)
   target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination
   ACCEPT     all  --  anywhere             anywhere
   state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif2.1

   ACCEPT     all  --  anywhere             anywhere
   PHYSDEV match --physdev-in vif2.1

   ACCEPT     all  --  anywhere             anywhere
   state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif2.0

   ACCEPT     all  --  anywhere             anywhere
   PHYSDEV match --physdev-in vif2.0

   ACCEPT     all  --  anywhere             anywhere
   state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.0

   ACCEPT     all  --  anywhere             anywhere
   PHYSDEV match --physdev-in vif1.0

   ACCEPT     all  --  anywhere             anywhere
   state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.1

   ACCEPT     all  --  anywhere             anywhere
   PHYSDEV match --physdev-in vif1.1

Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination


#  brctl show
bridge name     bridge id               STP enabled     interfaces
eth0            8000.0011258e355e       no              peth0
                                                        vif1.0
                                                        vif2.0
eth1            8000.0011258e355f       no              peth1
                                                        vif1.1
                                                        vif2.1


DomU
====
#  iptables -L
Chain INPUT (policy ACCEPT)
   target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
   target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination


#  netstat -an|grep 22|grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN



No IPV6 is configured on these machines at this time fwiw.


Connecting via a modem with port forwarding works 100% of the time without troubles (from allowed IP addresses).

I am using /etc/hosts.allow and /etc/hosts.deny to restrict access, but the intermittent connections don't show this as an issue.

Relevant /etc/hosts.allow from the "other" network, the one that can connect intermittently.

sshd: 192.168.

  NB: there are other allowed hosts, but they are not having any
  problems [coming in via the modem and with port forwards directly
  to DomU]

/etc/hosts.deny relevant entry:

sshd: ALL




Thanks.

--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.