[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] XPC ip address on dom0 xenbr0 inaccessible from other local hosts



Good god why didn't I think about iptables...never occurred to me that XCP might ship with iptables built in..

And guess what, that was it.

Default XCP iptables looks like this:

target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ha-cluster 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Just had to fix that up and poof now I have connectivity to my service.

Thanks a heap mate!



On Thu, Oct 6, 2011 at 4:27 PM, Steve Allison <xen-users@xxxxxxxxxxxxxxxxxx> wrote:
On 06/10/2011 20:19, Andrew Eross wrote:

Interestingly, I can ping the other host..

[root@vh02 ~]# ping 192.168.41.21
PING 192.168.41.21 (192.168.41.21) 56(84) bytes of data.
64 bytes from 192.168.41.21: icmp_seq=1 ttl=64 time=0.387 ms

Both hosts are XCP 1.0 and plugged directly into the same physical switch.

Just not route anything to it..



Hmm, interesting! I'd go for the other obvious, and that is iptables. Checking both filter and nat chains.

Have tcpdump or tshark running on vh01 and see if the packets are arriving to the machine.

It could be an ACL of XCP which denies connectivity with an ICMP "destination unreachable", however I am not familiar with XCP but I'm sure someone else on the list can chime in for you.


-- 
May the ping be with you ..

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.