|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] ssh issues on DomU
Am 01.04.2011 15:41, schrieb Andrew McGlashan: > Hi, > > Simon Hobson wrote: >> Andrew McGlashan wrote: >> >>> I only see output when I ssh from Dom0 -- nothing when trying from >>> putty client. >> >> Do you have any firewall in place that might be dropping connections ? > > No, the closest thing would be the standard iptables rules on Dom0 ... > but it looks "okay" to me. It isn't. > Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.1 > ACCEPT all -- anywhere anywhere PHYSDEV > match --physdev-in vif3.1 > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED PHYSDEV match --physdev-out vif3.0 > ACCEPT all -- anywhere anywhere PHYSDEV > match --physdev-in vif3.0 > ACCEPT all -- anywhere anywhere PHYSDEV > match --physdev-in peth1 These rules basically say that any traffic coming in from anywhgere (the outside) and being directed towards your DomU is only valid if it is part of an existing connection (see the state RELATED,ESTABLISHED on the physdev-out matches, which are driven by the stateful xtables match of the Dom0 kernel), whereas the DomU is allowed to do any traffic (see the physdev-in match). The Dom0 is allowed to do traffic to all DomUs, because the packets the Dom0 generates go through INPUT and OUTPUT, but not through FORWARD. You might want to check the iptables generation on your Dom0. -- --- Heiko. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |