[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Dom0 domU bridge problem - virtualizing ISC DHCP server

Well, that server had 200+ iptables rules, the dom0 routes traffic between 5 interfaces. It must have been something I've messed up earlier.

What is your suggestion regarding trimming the rules down?

does this "--physdev-in vif+" and "--physdev-out vif+" wildcard all vif interfaces? Would this iptables setting allow for ISC DHCP server to work? 

Thanks for help anyway! :D



2013/7/23 Alexandre Kouznetsov <alk@xxxxxxxxxx>
Hello.


El 22/07/13 16:51, Jakub Kulesza escribió:

Dear Alexande, I did as you told.

I've added following iptables rules to dom0/main router:

-t nat
-A FORWARD -s 192.168.0.0/24 -d 192.168.0.252/32 -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.0.252/32 -i eth0 -p udp -m udp --dport 68 -j ACCEPT

-t filter
-A FORWARD -d 255.255.255.255/32 -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -d 255.255.255.255/32 -i eth0 -p udp -m udp --dport 68 -j ACCEPT


0.252 is the address of the DHCP server.

And it works... let's see how it works out.

I'm glad it worked. I have said nothing about iptables, but as you describe it, it seems the firewalling on the Dom0 had the fault.


The iptables rules you list seems excessive. Good thing it works, but be careful not to accumulate too much of this kind of configurations. In Debian 6 default installation no additional firewalling is needed in order to allow packet forwarding between domains and the physical network. I doubt it have changed in Debian 7 (have not tested a clean install yet myself).

Since you had to tweak iptables in order to make DHCP working on Dom0, it makes me believe there was some firewall rules already applied, which prevented DHCP to work at first place. I would suggest fixing that firewalling mechanism, instead of patching it with more rules.

As a reference, I'm attaching an example of a basic firewall script. I use something very similar on Dom0 with Debian myself). It runs from /etc/network/interfaces, as a post-up for "lo" interface, so it starts in the early beginning.

--
Alexandre Kouznetsov


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users



--
Pozdrawiam
Jakub Kulesza 
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.