On Tue, Feb 14, 2006 at 12:51:16PM -0500, Patrick Wolfe wrote:
> On Tue, 2006-02-14 at 10:44 -0600, Daniel Goertzen wrote:
> > FYI I am implementing a firewall using firehol in a domU. It has 3
> > interfaces which are plugged into 3 bridges in my dom0 (internet, lan,
> > and dmz). Only 2 of the bridges connect to physical ethernet interfaces
> > (internet, lan); the other one is meant for routing to dmz domU's only.
> > My setup is not complete but partial tests are showing good results.
>
>
> On the two systems I setup running xen3 and a firewall, I found it made
> much more sense to create a firewall domU with minimal OS, and do all my
> iptables filtering there. Just like Daniel describes, I created a
> bridge for each physical interface, connect the physical interface and
> firewall domU to each those bridges, then create one additional bridge
> (my XEN DMZ) to which I attached the firewall, dom0's veth0 and all
> other domU's.
>
> +-------+ +---------+ +-----------+
> | peth0 |---| br0eth0 | +-------|veth0 dom0 |
> +-------+ +---------+ | +-----------+
> | |
> +--eth0--+ |
> | | |
> | e |
> | fire1 t +--------+ +-----------+
> | domU1 h---| br2dmz |---|eth0 domU2 |
> | 2 +--------+ +-----------+
> | | |
> +--eth1--+ |
> | |
> +-------+ +---------+ | +-----------+
> | peth1 |---| br1eth1 | +-------|eth0 domU3 |
> +-------+ +---------+ +-----------+
>
My setup is similar to above, except I wanted dom0 only accessible on the
private lan as follows:
+-------+ +---------+ +-----------+
| peth0 |---| br0eth0 |----|eth0 domU2 |
+-------+ +---------+ +-----------+
|
+--eth0--+
| |
| fire1 |
| domU1 |
| |
+--eth1--+
|
+-------+ +---------+ +----------+
| peth1 |---| br1eth1 |----|eth1 dom0 |
+-------+ +---------+ +----------+
The domU's can access anyone without trouble. Dom0 can successfully ping any
IP address, but cannot connect to remote services. I'm accepting all services
in iptables (firehol), and since no packets are being logged as
blocked/dropped, I'm reasonably sure the iptables rules are correct. From
dom0, attempting a wget of google's homepage (64.233.187.99) shows the
connection is successful, but the request times out waiting for a response:
~# wget 64.233.187.99
--13:59:05-- http://64.233.187.99/
=> `index.html'
Connecting to 64.233.187.99:80... connected.
HTTP request sent, awaiting response...
The conntrack info in from /proc/net/ip_conntrack on the firewall confirms the
connection is active (if i'm reading it right):
~# cat ip_conntrack
tcp 6 264 ESTABLISHED src=192.168.1.20 dst=64.233.187.99 sport=1797 dport=80
packets=8 bytes=940 src=64.233.187.99 dst=<domU1 eth0 IP> sport=80 dport=1797
packets=1 bytes=44 [ASSURED] use=1
It appears as though the response comes all the way back to eth0 on the
firewall (again, if i'm reading the above connection info right), but it
doesn't continue down to dom0. So my question is, how does one masquerade dom0
through a domU? Do forwarding rules need to be in place in dom0 between
br0eth0 and br1eth1, or can all the iptables work be done in a domU? For
reference, here's my bridge setup showing the associated domain interfaces:
~# brctl show
bridge name bridge id STP enabled interfaces
xenbr0 8000.feffffffffff no peth0
vif1.0
vif2.0
xenbr1 8000.feffffffffff no peth1
vif0.1
vif1.1
Thanks for any insight,
-Kevin
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home