[Gllug] Xen and iptables problem

- Tethys tethys at gmail.com
Fri Jan 5 12:10:19 UTC 2007 

Simple problem, really. My SYNs are going out into the wide world, but
iptables is blocking the SYN/ACK coming back in. The curious thing is
that in my INPUT rules, I'm explicitly allowing ESTABLISHED and
RELATED packets through. To try and debug the problem, I told iptables
to log every packet as it hit each chain:

Jan  4 15:31:54 springfield Output:   IN=       OUT=eth0   MAC=
                                   SRC=11.111.111.111
DST=194.106.56.46 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=51418 CE DF
PROTO=TCP SPT=60662 DPT=53 SEQ=2965822597 ACK=0          WINDOW=5840
  SYN URGP=0
Jan  4 15:31:54 springfield Forward:  IN=xenbr0 OUT=xenbr0
MAC=00:08:a3:83:85:22:00:e0:81:2f:7f:be:08:00  SRC=11.111.111.111
DST=194.106.56.46 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=51418 CE DF
PROTO=TCP SPT=60662 DPT=53 SEQ=2965822597 ACK=0          WINDOW=5840
  SYN URGP=0
Jan  4 15:31:54 springfield Forward:  IN=xenbr0 OUT=xenbr0
MAC=00:e0:81:2f:7f:be:00:08:a3:83:85:22:08:00  SRC=194.106.56.46
DST=11.111.111.111 LEN=60 TOS=00 PREC=0x00 TTL=51 ID=0        DF
PROTO=TCP SPT=53 DPT=60662 SEQ=1118190643 ACK=2965822598 WINDOW=5792
ACK SYN URGP=0
Jan  4 15:31:54 springfield Input:    IN=eth0   OUT=
MAC=00:e0:81:2f:7f:be:00:08:a3:83:85:22:08:00  SRC=194.106.56.46
DST=11.111.111.111 LEN=60 TOS=00 PREC=0x00 TTL=51 ID=0        DF
PROTO=TCP SPT=53 DPT=60662 SEQ=1118190643 ACK=2965822598 WINDOW=5792
ACK SYN URGP=0
Jan  4 15:31:54 springfield Dropped:  IN=eth0   OUT=
MAC=00:e0:81:2f:7f:be:00:08:a3:83:85:22:08:00  SRC=194.106.56.46
DST=11.111.111.111 LEN=60 TOS=00 PREC=0x00 TTL=51 ID=0        DF
PROTO=TCP SPT=53 DPT=60662 SEQ=1118190643 ACK=2965822598 WINDOW=5792
ACK SYN URGP=0

(I have a feeling gmail will bugger up the formatting on that, so it's
also available at http://www.astradyne.co.uk/ref/xen_iptables.txt)

For those unfamiliar with Xen, it makes networking insanely (and
unnecessarily) complicated, which is why it's hitting both the FORWARD
and INPUT/OUTPUT chains. See
http://wiki.xensource.com/xenwiki/XenNetworking for mroe details.

Any ideas? Is it possible to get iptables to log the state of the
packet? I know that a SYN/ACK should in theory make the packet
ESTABLISHED, but since it doesn't seem to be doing so in this case, I
have no idea what's happening :-(

Tet
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list