|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] xen (3.0.3_0) + iptables in dom0
On Wednesday 08 November 2006 10:17, Arnaud JAYET wrote:
> Hello,
>
> I have little trouble with using iptables in dom0 with Xen 3.0.
>
> i allow all OUTPUT and FORWARD in default iptables policy, the default
> policy for INPUT chain is DROP except for ssh in domO from fixed IPs in
> network 10.131.12.0/24
>
>
> I've the following iptables script and network configuration (I'm using
> Debian Sarge) :
>
>
> #!/bin/sh
> # /etc/network/if-pre-up.d/iptables-start
> iptables=$(which iptables)
>
> $iptables -F
>
> $iptables -P INPUT DROP
> $iptables -P FORWARD ACCEPT
> $iptables -P OUTPUT ACCEPT
>
>
> $iptables -A INPUT -i lo -j ACCEPT
> $iptables -A INPUT -p icmp -j ACCEPT
> $iptables -A INPUT -p igmp -j ACCEPT
>
> $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # SSH
> $iptables -A INPUT -p tcp -s 10.131.12.0/24 --dport 22 -j ACCEPT
>
> ---------
>
> With this iptables configuration, i can't go out from dom0 (no ping, no
> ssh, no http for apt-get update/upgrade)
>
> if i set the INPUT chain default policy to ACCEPT, it works of course
> (e.g. like no iptables ptrotection at all)...
>
> I wonder why the output stream from dom0 is blocked (default policy =
> ACCEPT) ? Does the output stream initiated by dom0 re-enter into any
> INPUT chain due to the xen bridge or the renaming of eth0 in peth0 ?
> it's a little bit cloudy for me...
>
>
> Does anybody have a sample iptables script for protecting a dom0 machine ?
>
>
> My network configuration for the dom0 :
>
>
> eth0 Lien encap:Ethernet HWaddr 00:30:48:68:20:18
> inet adr:10.131.12.5 Bcast:10.131.255.255 Masque:255.255.0.0
> adr inet6: fe80::230:48ff:fe68:2018/64 Scope:Lien
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:657163 errors:0 dropped:0 overruns:0 frame:0
> TX packets:10908 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 lg file transmission:0
> RX bytes:58172954 (55.4 MiB) TX bytes:1811066 (1.7 MiB)
>
> lo Lien encap:Boucle locale
> inet adr:127.0.0.1 Masque:255.0.0.0
> adr inet6: ::1/128 Scope:Hôte
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:8 errors:0 dropped:0 overruns:0 frame:0
> TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 lg file transmission:0
> RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
>
> peth0 Lien encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
> adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
> UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
> RX packets:664303 errors:0 dropped:0 overruns:0 frame:0
> TX packets:11059 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 lg file transmission:1000
> RX bytes:61532959 (58.6 MiB) TX bytes:1873537 (1.7 MiB)
> Adresse de base:0x2000 Mémoire:da200000-da220000
>
> vif0.0 Lien encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
> adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
> UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
> RX packets:11009 errors:0 dropped:0 overruns:0 frame:0
> TX packets:662689 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 lg file transmission:0
> RX bytes:1825551 (1.7 MiB) TX bytes:58733912 (56.0 MiB)
>
> xenbr0 Lien encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
> adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
> UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
> RX packets:646462 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 lg file transmission:0
> RX bytes:46504320 (44.3 MiB) TX bytes:0 (0.0 b)
>
>
> # route
> Table de routage IP du noyau
> Destination Passerelle Genmask Indic Metric Ref Use
> Iface
> localnet * 255.255.0.0 U 0 0 0
> eth0 default 10.131.255.254 0.0.0.0 UG 0 0
> 0 eth0
>
>
> Thank you for your help.
>
>
> --
> Arnaud
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
Hi,
I've had the same issue, but i've found that while i couldn't get out of the
box, i still could login via ssh. It took long, but i did could login. I
could even ping the machine from the outside.
I've then applied the rules to vif0.0.
I don't know if this is the right think to do, but it done to me what i want.
Regards
Hugo
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|