[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xen-users
Subject:    Re: [Xen-users] so close! just an iptables rule away.....?
From:       Michael Best <mbest () pendragon ! org>
Date:       2005-11-30 4:38:27
Message-ID: 438D2CC3.70103 () pendragon ! org
[Download RAW message or body]

> Hi,
> # iptables -L -v -n
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source               destination
> 8216  809K RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            \
> 0.0.0.0/0 0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 \
> PHYSDEV match --physdev-in eth1 ! --physdev-out eth1 0     0 ACCEPT     all  --  *  \
> *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match ! --physdev-in eth1 \
> --physdev-out eth1

The big problem is in the FORWARD chain, the first rule in this chain 
says jump to the chain RH-Firewall-1-INPUT and then the subsequent rules 
are ignored.

So for instance in my example system my domU is on bridged interface 
vif3.0 in order add the ACCEPT iptables line *before* the jump to 
RH-Firewall I had to drop that rule and then insert it back in.

iptables -D FORWARD -j RH-Firewall-1-INPUT
iptables -A FORWARD -m physdev --physdev-in vif3.0 -j ACCEPT
iptables -A FORWARD -j RH-Firewall-1-INPUT

Same basic approach for you, just make sure your rules come before the 
jump or drop that rule and then add it back in after the rule changes 
are done.

I modified my /etc/xen/scripts/vif-common.sh to do this for me.  The 
patch appeared in my last post.

-Mike

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users


[prev in list] [next in list] [prev in thread] [next in thread]