[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in Windows XP Home 32-bit HVM Guest

Dear Caz, Boris, and Pasi,

I am reading XenNetworking at the Xen Wiki:
http://wiki.xensource.com/xenwiki/XenNetworking

<QOUTE>
The default Xen configuration uses bridging within domain 0 to allow all
domains to appear on the network as individual hosts. If extensive use of
iptables is made in domain 0 (e.g. a firewall) then this can affect bridging
because bridged packets pass through the PREROUTING, FORWARD and POSTROUTING
iptables chains. This means that packets being bridged between guest domains
and the external network will need to be permitted to pass those chains. The
most likely problem is the FORWARD chain being configured to DROP or REJECT
packets (this is different from IP forwarding in the kernel).

iptable FORWARDing can be disabled for all packets; to prevent the dom0 from
acting as an IP router: echo 0 > /proc/sys/net/ipv4/ip_forward.

A slightly more secure method is to allowing packet forwarding (at the
iptables level) between the external physical interface and the vifs for the
guests. For a machine with a single ethernet card this would be:

iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j
ACCEPT
iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0  -j
ACCEPT

(needs the ipt_physdev [aka xt_physdev] module to be available).
</QUOTE>

So I may need to tweak the nat table in my iptables configuration. I don't
think the problem is with the filter table.

Could you post your iptables configuration with the "iptables --table filter
-L" and "iptables --table nat -L" commands?

Thank you very much.

Regards,
 
Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering)
BEng(Hons)(Mechanical Engineering) 
Technical Support Engineer 
Information Technology Department
Asiasoft Online Pte Ltd
Tampines Central 1 #04-01 Tampines Plaza 
Singapore 529541
Republic of Singapore
Mobile: +65-9648-9798
MSN: teoenming@xxxxxxxxxxx

-----Original Message-----
From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Teo En Ming
(Zhang Enming)
Sent: Monday, August 24, 2009 9:40 AM
To: cazyokoyama@xxxxxxxxx
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in
Windows XP Home 32-bit HVM Guest

Thank you.

But I still need to modify the firewall to allow my Win XP Home Dom U to
talk to the outside world.

Regards,
 
Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering)
BEng(Hons)(Mechanical Engineering) 
Technical Support Engineer 
Information Technology Department
Asiasoft Online Pte Ltd
Tampines Central 1 #04-01 Tampines Plaza 
Singapore 529541
Republic of Singapore
Mobile: +65-9648-9798
MSN: teoenming@xxxxxxxxxxx

-----Original Message-----
From: Caz Yokoyama [mailto:cazyokoyama@xxxxxxxxx] 
Sent: Monday, August 24, 2009 8:52 AM
To: enming.teo@xxxxxxxxxxxxxxx
Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in
Windows XP Home 32-bit HVM Guest

Congratulation.
-caz

-----Original Message-----
From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@xxxxxxxxxxxxxxx] 
Sent: Sunday, August 23, 2009 5:11 PM
To: enming.teo@xxxxxxxxxxxxxxx
Cc: cazyokoyama@xxxxxxxxx; xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in
Windows XP Home 32-bit HVM Guest

Hi Caz,

I did a tcpdump on my ethernet bridge eth0.

When the firewall on Dom 0 is up, I see DHCP request packets but NO DHCP 
reply packets.

When I flushed all the firewall rules on Dom 0, I see both DHCP request 
and reply packets going to my Win XP Home Dom U.

-- 
Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering)
BEng(Hons)(Mechanical Engineering)
Technical Support Engineer
Information Technology Department
Asiasoft Online Pte Ltd
Tampines Central 1 #04-01 Tampines Plaza
Singapore 529541
Republic of Singapore
Mobile: +65-9648-9798
MSN: teoenming@xxxxxxxxxxx
Alma Maters: Singapore Polytechnic, National University of Singapore



On 08/24/2009 08:01 AM, Mr. Teo En Ming (Zhang Enming) wrote:
> Hi Caz,
>
> I found out why my Win XP Home HVM dom U couldn't access the outside 
> world. It's because of the firewall rules on my Dom 0. When I flushed 
> all my firewall rules, Dom U could obtain IP address from my wireless 
> router and surf the internet.
>
> So I have to think of adding appropriate firewall rules so that my Dom 
> U could access the outside world when the firewall is enabled.
>




No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09
18:06:00

No virus found in this outgoing message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09
18:06:00



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09
18:06:00

No virus found in this outgoing message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09
18:06:00



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.