WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Network security

Hello,

You should have iptables compiled to the kernel in Dom-0 with physdev
match support.
Set the default policy for FORWARD to DROP
Add a specific rule in Dom-0 for each ip address to forward packets for
that ip addrss only through the interface for that Dom-U. vifname
parameter in Dom-U config file would be good in this circumstance.
Suppose to create a Dom-U named domain1 with vifname domai1  - set the
below rules.

iptables -P FORWARD DROP
iptables -A FORWARD -s <ipaddress for that domain> -m physdev
--physdev-in domain1 -j ACCEPT
iptables -A FORWARD -d <ipaddress for that domain> -m physdev
--physdev-out domain1 -j ACCEPT

If you want to bind mulitiple ips for one dom-u you should add a rule
like this for each ip address,

Thanks
Sadique

Andrew W. wrote:

> Hello all,
>  
> New to the list, so please bear with me.  I'm trying to configure a
> bunch of domU's that will be controlled by various untrusted
> sysadmins.  I want to prevent them from attempting to steal each
> other's IP addresses.  This won't need RFC1918 address space; I have
> globally routable IPs.  My requirements are simply one IP per domU,
> with the ability to route additional blocks (maybe a /29 or /30) to
> individual domU's as necessary.
>  
> I'm not opposed to using iptables or any other such trickery to
> accomplish this.  Comments?
>  
>  
> Regards,
>  
> Andrew Wang
>  
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Xen-users mailing list
>Xen-users@xxxxxxxxxxxxxxxxxxx
>http://lists.xensource.com/xen-users
>


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>