[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Dom0 domU bridge problem - virtualizing ISC DHCP server

  • To: xen-users@xxxxxxxxxxxxx
  • From: Alexandre Kouznetsov <alk@xxxxxxxxxx>
  • Date: Mon, 22 Jul 2013 18:06:32 -0500
  • Delivery-date: Mon, 22 Jul 2013 23:07:38 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>


El 22/07/13 16:51, Jakub Kulesza escribió:
Dear Alexande, I did as you told.

I've added following iptables rules to dom0/main router:

-t nat
-A FORWARD -s -d -i eth0 -p udp -m udp --dport 
67 -j ACCEPT
-A FORWARD -s -d -i eth0 -p udp -m udp --dport 
68 -j ACCEPT

-t filter
-A FORWARD -d -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -d -i eth0 -p udp -m udp --dport 68 -j ACCEPT

0.252 is the address of the DHCP server.

And it works... let's see how it works out.

I'm glad it worked. I have said nothing about iptables, but as you describe it, it seems the firewalling on the Dom0 had the fault.

The iptables rules you list seems excessive. Good thing it works, but be careful not to accumulate too much of this kind of configurations. In Debian 6 default installation no additional firewalling is needed in order to allow packet forwarding between domains and the physical network. I doubt it have changed in Debian 7 (have not tested a clean install yet myself).

Since you had to tweak iptables in order to make DHCP working on Dom0, it makes me believe there was some firewall rules already applied, which prevented DHCP to work at first place. I would suggest fixing that firewalling mechanism, instead of patching it with more rules.

As a reference, I'm attaching an example of a basic firewall script. I use something very similar on Dom0 with Debian myself). It runs from /etc/network/interfaces, as a post-up for "lo" interface, so it starts in the early beginning.

Alexandre Kouznetsov

Attachment: basic_Dom0_firewall.sh
Description: application/shellscript

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.