WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] xen (3.0.3_0) + iptables in dom0

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] xen (3.0.3_0) + iptables in dom0
From: Hugo Brites <hugo@xxxxxxxxxx>
Date: Wed, 8 Nov 2006 12:08:33 +0000
Cc: Arnaud JAYET <ajayet@xxxxxxx>
Delivery-date: Wed, 08 Nov 2006 04:03:17 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <4551AEBB.6090605@xxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <4551AEBB.6090605@xxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.5
On Wednesday 08 November 2006 10:17, Arnaud JAYET wrote:
> Hello,
>
> I have little trouble with using iptables in dom0 with Xen 3.0.
>
> i allow all OUTPUT and FORWARD in default iptables policy, the default
> policy for INPUT chain is DROP except for ssh in domO from fixed IPs in
> network 10.131.12.0/24
>
>
> I've the following iptables script and network configuration (I'm using
> Debian Sarge) :
>
>
> #!/bin/sh
> # /etc/network/if-pre-up.d/iptables-start
> iptables=$(which iptables)
>
> $iptables -F
>
> $iptables -P INPUT DROP
> $iptables -P FORWARD ACCEPT
> $iptables -P OUTPUT ACCEPT
>
>
> $iptables -A INPUT -i lo -j ACCEPT
> $iptables -A INPUT -p icmp -j ACCEPT
> $iptables -A INPUT -p igmp -j ACCEPT
>
> $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # SSH
> $iptables -A INPUT -p tcp -s 10.131.12.0/24 --dport 22 -j ACCEPT
>
> ---------
>
> With this iptables configuration, i can't go out from dom0 (no ping, no
> ssh, no http for apt-get update/upgrade)
>
> if i set the INPUT chain default policy to ACCEPT, it works of course
> (e.g. like no iptables ptrotection at all)...
>
> I wonder why the output stream from dom0 is blocked (default policy =
> ACCEPT) ? Does the output stream initiated by dom0 re-enter into any
> INPUT chain due to the xen bridge or the renaming of eth0 in peth0 ?
> it's a little bit cloudy for me...
>
>
> Does anybody have a sample iptables script for protecting a dom0 machine ?
>
>
> My network configuration for the dom0 :
>
>
> eth0      Lien encap:Ethernet  HWaddr 00:30:48:68:20:18
>            inet adr:10.131.12.5  Bcast:10.131.255.255  Masque:255.255.0.0
>            adr inet6: fe80::230:48ff:fe68:2018/64 Scope:Lien
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:657163 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:10908 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:0
>            RX bytes:58172954 (55.4 MiB)  TX bytes:1811066 (1.7 MiB)
>
> lo        Lien encap:Boucle locale
>            inet adr:127.0.0.1  Masque:255.0.0.0
>            adr inet6: ::1/128 Scope:Hôte
>            UP LOOPBACK RUNNING  MTU:16436  Metric:1
>            RX packets:8 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:0
>            RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)
>
> peth0     Lien encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>            adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
>            UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>            RX packets:664303 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:11059 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:1000
>            RX bytes:61532959 (58.6 MiB)  TX bytes:1873537 (1.7 MiB)
>            Adresse de base:0x2000 Mémoire:da200000-da220000
>
> vif0.0    Lien encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>            adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
>            UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>            RX packets:11009 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:662689 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:0
>            RX bytes:1825551 (1.7 MiB)  TX bytes:58733912 (56.0 MiB)
>
> xenbr0    Lien encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>            adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
>            UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>            RX packets:646462 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:0
>            RX bytes:46504320 (44.3 MiB)  TX bytes:0 (0.0 b)
>
>
> # route
> Table de routage IP du noyau
> Destination     Passerelle      Genmask         Indic Metric Ref    Use
> Iface
> localnet        *               255.255.0.0     U     0      0        0
> eth0 default         10.131.255.254  0.0.0.0         UG    0      0       
> 0 eth0
>
>
> Thank you for your help.
>
>
> --
> Arnaud
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
Hi,

 I've had the same issue, but i've found that while i couldn't get out of the 
box, i still could login via ssh. It took long, but i did could login. I 
could even ping the machine from the outside.

 I've then applied the rules to vif0.0.
 I don't know if this is the right think to do, but it done to me what i want.


Regards
Hugo





_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>