[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] vifs and networking

root wrote:

Thanks, that helped a lot, I am back to a "flat" network all 7 vif's
talking to xen-br0, 4 DHCP IP addresses, all 3 domU's pinging each other
and dom0 and the outside world.

I tried to connect vif1.1 and vif2.1 to the bridge xen-brDMZ and vif1.2
and vif3.1 to the bridge xen-brINT.  I got some error that iptables was
not installed.  I activated iptables 1.2.11 (Fedora Core 3 for dom0 and
all three domU's) in both dom0 and domU.  Now in dom 0 and domU I get:

   FATAL: Module ip_tables not found.
   iptables v1.2.11: can't initialize iptables table `filter': iptables
                                          who? (do you need to insmod?)
   Perhaps iptables or your kernel needs to be upgraded.

When I boot to the non-xen kernel iptables is started and enter
iptables -L it shows the rules.  When I boot to xen0, or any domU,
kernel the status of iptables is stopped.  Restart and iptables -L i get
the above error.
The default configs for our dom0 and domU kernels has CONFIG_KMOD set which should allow the relevant modules to be automatically loaded when the iptables command is run.
Can you check you have the modules installed in dom0 correctly and that /lib/modules/2.6.11.11-xen0/kernel/net/ipv4/netfilter/ (varied for your kernel version) is full of modules including ip_tables.ko and iptables_netfilter.ko. You could also try a 'depmod -a' and reboot.
Our default domU config doesn't include netfilter so rebuild the domU kernel (remember to use ARCH=xen in all Linux 'make' invocations) to include the required options. (You should also be able to use a dom0 kernel and /lib/modules tree for a domU. The former has the needed netfilter modules.) 


Is there a step-by-step on how to get iptables running on dom0 and
domU?
In general setting up iptables is the same on Xen domains as it is on multiple physical boxes. The main gotchas are:
1. The interface that dom0 sees as it's external interface is the name of the bridge it attaches to (usually xen-br0). 2. The bridging in dom0 interacts with iptables. Even bridged packets traverse some chains (this will apply to non-xen boxes using Linux bridging too). 


Thanks again this forum is indispensable.
Even more so if you reply to the list rather than just to me :-). Please can you post with a legitimate email address rather than root@xxxxxxxxxxxxxxxxx 


(I could put a firewall box in front of of this 4 OS box, but I think
there has to be a way to get this DMZ to work on one box in xen.  [I
this multi zoned network working on one box in VMWare 5.0])



James

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.