Xen 		  
Home About Xen.org Xen Xen Summit Wiki Mailing List Bug Tracker Xen Downloads
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] iptables in dom0 with bridge: no more outbound connections

from [Peter Fokkinga] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] iptables in dom0 with bridge: no more outbound connections
From: Peter Fokkinga <peter@xxxxxxxxxxx>
Date: Fri, 29 Dec 2006 16:25:46 +0100
Delivery-date: Fri, 29 Dec 2006 07:25:12 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Internet Messaging Program (IMP) H3 (4.1.3) 
After successfully consolidating my servers at home with Xen I
wanted to do the same at work. Unfortunately, I ran into a
networking anomaly that baffles my mind...

What I'm looking for is a real simple setup: a dom0 and 4 domU's
that are all directly accessible; in other words, no NAT required,
each dom has a "real" (public) ip address in our 129.125. range
(that's University of Groningen, the Netherlands in case you're
wondering).

Even though I have no need for iptables to do NAT, I _do_ want
to protect each dom, including dom0, with its own firewall. And
here the problems start.

When I boot into dom0 (Xen 3.0.4 patched to kernel 2.6.16.36), but
without starting xend, things are fine (iptable rules are active
at this point). Yet, after I have started xend (and xenbr0 appears
in my ifconfig output) I am unable to make connections to remote
hosts (dns lookups fail, ping to ip addresses fail, etc). Strange!

Now for the real spooky part:
  1. I booted into dom0 (no xend)
  2. executed `telnet 129.125.14.12 daytime`, it works
  3. started xend
  4. executed `telnet 129.125.14.12 daytime`, it still works (surprise!)
  5. executed `telnet 129.125.14.13 daytime`, it does not work
Wierd, so I rebooted the machine and tried again except for step 2
and the result was the same. Two days later I tried another time
(again leaving out step 2) and now step 4 gives no response...

When I disable the firewall (iptables -F) everything is fine.

My minimal firewall script:
iptables -F
iptables -A INPUT -p tcp --dport ssh   -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

Another observation: with the above firewall in place I can ssh into
dom0, but it takes about 30 seconds to connect; without firewall it
is almost instantaneous.

Now I'm a programmer, not a network engineer. And I don't have a
clue how to go from here (i.o.w. I can run tcpdump, but don't know
what to look for). So suggestions are greatly appreciated!

Cheers, Peter

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] CIM @ LINUX(XEN) (FC6 or SuSE 10), anant
Next by Date:  Re: [Xen-users] CIM @ LINUX(XEN) (FC6 or SuSE 10), Tim Post
Previous by Thread:  [Xen-users] CIM @ LINUX(XEN) (FC6 or SuSE 10), anant
Next by Thread:  Re: [Xen-users] iptables in dom0 with bridge: no more outbound connections, Nico Kadel-Garcia
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , XenSource, Inc. All rights reserved. Note: the xen.org trademark policy
is changing. For information please email legalxen.org, Legal and Privacy