[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Has anyone successfully set up a dhcp/iptables firewall in dom0 NATing traffic from domU?
> Hi, > > For what it's worth I've come to the conclusion that the best policy is to > run *nothing* in the Dom0 above and beyond what you absolutely need. In my > case, no iptables whatsoever and nothing listening on a public interface > save ssh which is protected by hosts allow. > (then run everything else on a second/private eth) > maybe but most people use a host with iptables and migrating all services to DomU is hard so easiest way seams to me to solve the bug and not get all users to do an workaroaund i never had an lockout...kernel 2.6.20-xen-r6 Xen3.1 bridging mode > There appears to be a rather nasty bug somewhere in the IP stack, I'm > thinking it's in conntrak with regards to bridging with Xen in Dom0's, > which ultimately causes lots of problems including machine lockouts. > > Since scrapping iptables I've not had a single lockup. (across 6 machines > and 18 DomU's) > [I'm working with kernels 2.6.2x] > > hth > Gareth. > > > ----- Original Message ----- > step 3.: "Juergen Schinker" <ba1020@xxxxxxxxxxxxxxxxxxx> > To: xen-users@xxxxxxxxxxxxxxxxxxx > Sent: 12 February 2008 11:47:20 o'clock (GMT) Europe/London > Subject: Re: [Xen-users] Has anyone successfully set up a dhcp/iptables > firewall in dom0 NATing traffic from domU? > >> I've been struggling with this problem for a few days now perhaps > someone here has had experience with this problem already. I am trying > to set up a rack server lke this: >> >> dom0: iptables/dhcp >> dom1: LAMP server >> dom2: MAIL server >> dom3: VNC vm for graphical admin and web tools >> >> Dom0 has one physical interface eth0 which receives a static ip, i have > also set up a bridge called br0 that i have bound dnsmasq to in order to > dole out ips to the domU's. The domU's are assigned a mac address and > once they boot dhclient requests an ip over 192.168.0.1 which works > well. Once the domU has booted I can ping the other domU's by ip and > the br0 itself at 192.168.0.1 as well as accessing all the servers in > the domUs in my internal network. I.e. I can hit the webserver in dom1 > from dom3. I can also ping external sites by domain name like > google.com. Unfortunately that is about all I can do. I cannot access > any other form of net traffic from inside the domU, i.e I cannot access > the web or rsync. My question is basically, is this a problem with Xen > networking or is it a problem with >> iptables? Both? >> >> - Rich >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@xxxxxxxxxxxxxxxxxxx >> http://lists.xensource.com/xen-users >> >> > Yes here http://homie.homelinux.net/wordpress/?p=11 > > > > > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users > > _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |