[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Iptables and Xen

Have you looked at the entire list of rules (iptables -L)?  I ask because -A domU means add a rule to the domU chain, which wouldn’t change anything if there was already a rule to allow all traffic in said chain (it does seem safe to assume there was previously no domU chain, but these things still should be verified).  Another possibility is that iptables may not have the appropriate module / compilation for --physdev-(in/out); if I remember correctly, I had that problem in a really old CentOS or Fedora build once.  Finally, if your domU has been rebooted and isn’t dom1, then it doesn’t use vif1.0 anymore, as the vif number isn’t a constant; I use --physdev-is-bridged to match all domU traffic, but that won’t work right in this case if you have another domU that you do want to receive traffic.



From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Abhishek Bichhawat
Sent: Friday, June 10, 2011 02:32
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Iptables and Xen



I have been trying to filter out domU packets from dom0 using iptables.
I tried the following:

iptables -I FORWARD -m physdev --physdev-in peth0 --physdev-out vif1.0 -j domU
iptables -A domU -j DROP

I expect that this should drop all the packets meant for domU, but this does not happen in my case. The domU is able to receive and send packets as before.

kindly help.

Thanks and Regards,
Abhishek Bichhawat
Visiting Scholar
Dept. of Computing
Macquarie University,
Sydney, Australia.

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.