[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen and IPtables

yes

it worked for me !
iptables -t mangle -A PREROUTING -d <ip of dom0> -i <bridge> -p tcp --dport ! 
ssh  -j DROP

Bhasker C V
Registered linux user #306349


On Thu, 30 Apr 2009, Fajar A. Nugraha wrote:


On Thu, Apr 30, 2009 at 3:27 PM, James Clemence
<jamesvclemence@xxxxxxxxxxxxxx> wrote:

I have been able to filter for the domUs via the forward chain taking out
the packets to each domU to a specific chain for that domU, and then handle
the packets with ACCEPT/DROP, as per usual.

-m physdev  --physdev-in peth0 --physdev-out vif${DOMUID}.0 -j <DOMU chain>

However, I blanked on where to get hold of the traffic to the dom0? Does
that go to FORWARD too? Or does it simply hit INPUT?


Shouldn't that be basic iptables stuff?
If dom0 is not a router, INPUT should be enough. If it's a firewall or
router, packages going through dom0 will be on FORWARD.

As a side note, if you want to prevent iptables managing bridge
traffic altogether you might want to use

net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

on /etc/sysctl.conf, and run "sysctl -p" afterwards.

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users




_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.