Have you looked at the entire list of rules (iptables -L)? I ask because -A domU means add a rule to the domU chain, which wouldn’t change anything if there was already a rule to allow all traffic in said chain (it does seem safe to assume there was previously no domU chain, but these things still should be verified). Another possibility is that iptables may not have the appropriate module / compilation for --physdev-(in/out); if I remember correctly, I had that problem in a really old CentOS or Fedora build once. Finally, if your domU has been rebooted and isn’t dom1, then it doesn’t use vif1.0 anymore, as the vif number isn’t a constant; I use --physdev-is-bridged to match all domU traffic, but that won’t work right in this case if you have another domU that you do want to receive traffic.
Dustin
From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Abhishek Bichhawat
Sent: Friday, June 10, 2011 02:32
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Iptables and Xen
Hi,
I have been trying to filter out domU packets from dom0 using iptables.
I tried the following:
iptables -I FORWARD -m physdev --physdev-in peth0 --physdev-out vif1.0 -j domU
iptables -A domU -j DROP
I expect that this should drop all the packets meant for domU, but this does not happen in my case. The domU is able to receive and send packets as before.
kindly help.
--
Thanks and Regards,
Abhishek Bichhawat
Visiting Scholar
Dept. of Computing
Macquarie University,
Sydney, Australia.
