[Gllug] Xen and iptables problem

Juergen Schinker ba1020 at homie.homelinux.net
Fri Jan 5 12:49:59 UTC 2007 

Am Fr, 5.01.2007, 12:10, schrieb - Tethys:
> Simple problem, really. My SYNs are going out into the wide world, but
> iptables is blocking the SYN/ACK coming back in. The curious thing is
> that in my INPUT rules, I'm explicitly allowing ESTABLISHED and
> RELATED packets through. To try and debug the problem, I told iptables
> to log every packet as it hit each chain:
>
> Jan  4 15:31:54 springfield Output:   IN=       OUT=eth0   MAC=
>                                    SRC=11.111.111.111
> DST=194.106.56.46 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=51418 CE DF
> PROTO=TCP SPT=60662 DPT=53 SEQ=2965822597 ACK=0          WINDOW=5840
>   SYN URGP=0
> Jan  4 15:31:54 springfield Forward:  IN=xenbr0 OUT=xenbr0
> MAC=00:08:a3:83:85:22:00:e0:81:2f:7f:be:08:00  SRC=11.111.111.111
> DST=194.106.56.46 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=51418 CE DF
> PROTO=TCP SPT=60662 DPT=53 SEQ=2965822597 ACK=0          WINDOW=5840
>   SYN URGP=0
> Jan  4 15:31:54 springfield Forward:  IN=xenbr0 OUT=xenbr0
> MAC=00:e0:81:2f:7f:be:00:08:a3:83:85:22:08:00  SRC=194.106.56.46
> DST=11.111.111.111 LEN=60 TOS=00 PREC=0x00 TTL=51 ID=0        DF
> PROTO=TCP SPT=53 DPT=60662 SEQ=1118190643 ACK=2965822598 WINDOW=5792
> ACK SYN URGP=0
> Jan  4 15:31:54 springfield Input:    IN=eth0   OUT=
> MAC=00:e0:81:2f:7f:be:00:08:a3:83:85:22:08:00  SRC=194.106.56.46
> DST=11.111.111.111 LEN=60 TOS=00 PREC=0x00 TTL=51 ID=0        DF
> PROTO=TCP SPT=53 DPT=60662 SEQ=1118190643 ACK=2965822598 WINDOW=5792
> ACK SYN URGP=0
> Jan  4 15:31:54 springfield Dropped:  IN=eth0   OUT=
> MAC=00:e0:81:2f:7f:be:00:08:a3:83:85:22:08:00  SRC=194.106.56.46
> DST=11.111.111.111 LEN=60 TOS=00 PREC=0x00 TTL=51 ID=0        DF
> PROTO=TCP SPT=53 DPT=60662 SEQ=1118190643 ACK=2965822598 WINDOW=5792
> ACK SYN URGP=0
>
> (I have a feeling gmail will bugger up the formatting on that, so it's
> also available at http://www.astradyne.co.uk/ref/xen_iptables.txt)

the link was nice but don't you think using gmail is embarrising enough
>
> For those unfamiliar with Xen, it makes networking insanely (and
> unnecessarily) complicated, which is why it's hitting both the FORWARD
> and INPUT/OUTPUT chains. See
> http://wiki.xensource.com/xenwiki/XenNetworking for mroe details.
>
Xen is nice and not so complicated
i got GENTOO~amd64 as dom0 and GENTOO~i686,Debian 3.1,Fedora6 and Slackware
running and networked simultaneously

> Any ideas? Is it possible to get iptables to log the state of the
> packet? I know that a SYN/ACK should in theory make the packet
> ESTABLISHED, but since it doesn't seem to be doing so in this case, I
> have no idea what's happening :-(
>

i think you can get iptables to log everything but that will blow your
logfiles...

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list