| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
[Xen-users] Re: iptables, firewall into Dom0
Sébastien Cramatte wrote :
I've setup Xen using vlan. I've different bridge per vlan
Each VM have it's own iptables script
I've got various type of VM : http, ldap, mysql, nagios, ...
My question is how can I protect the Dom0 without block all the traffic
from DomU ...
I require restrictive rules with at least these :
INPUT:
ssh (tcp)
snmp (udp)
snmptrap (udp)
ping (icmp)
OUTPUT
http (tcp)
ssh (tcp)
dns (udp)
Regards
Hello Sébastien,
i had the same problem for protecting dom0 with iptables without
blocking domU's traffic. I think it's due to the bridging method wich
includes dom0 and domU's network interfaces into the bridge, so the
physical interface (peth0) is used for dom0 traffic and domU's traffic
into the bridge.
Here's some "tips" :
1) using ebtables or 'physdev' module of iptables, like said in some
posts in the mailing list. But my tries with phydev just allow or block
all kind of traffic, i failed separating dom0's traffic from domU's traffic.
2) if you have 2 NIC, you can assign eth0 to dom0 and assign eth1 to Xen
bridge(s) for the domU's (one bridge per vlan). eth0 is device to the
default gateway for incoming/outgoing traffic . I did this for a Xeon
server with 2 Gbit NIC and it works fine, i could protect dom0 with
iptables.
Perhaps (not yet tested), if you've only one nic, you could use eth0 for
dom0 and a dummy NIC for the Xen bridge(s).
3) I also tested routing method (in only one vlan at present but i plan
to test routing method with several vlans), it works well and i can
protect dom0 with iptables. to let routing method work, you'll have to
set ip_forwarding in dom0 and you also have to do proxy_arp in dom0 for
the domU's dor returned packets destinated to domU's
1) replace in xen-config.sxp
(network-script network-route)
(vif script vif-route)
- network-route juste enable ip_forwarding in dom0
# cat /proc/sys/net/ipv4/ip_forward
1
- vif-route create a vif<domU#id>.0 in dom0 and associate it with eth0
of domU and it creates a static route between dom0 to domU via
vif<domU#id>.0
to let traffic coming from the default gateway to a domU, set proxy_arp
into dom0, because the gw doesn't know domU's mac addresses
# sysctl -w net.ipv4.conf.eth0.proxy_arp=1
or
# echo "1" > /proc/sys/net/ipv4/conf/eth0/proxy_arp
traffic for the dom0 goes into INPUT chain and traffic for domU's goes
into FORWARD chain. If your default policy is ACCEPT for FORWARD chain
it will work (of course, you'll have to use local iptables in each domU)
But like you i'am still interested in some iptables samples config with
physdev module for protecting dom0 with bridging method without
filtering domU's traffic. If anybody have this, it would be fine....
If i said "some stupid things" in this reply, please don't hesitate to
correct.
Some usefuls threads that helps me :
http://lists.xensource.com/archives/html/xen-users/2005-04/msg00268.html
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00030.html
--
Arnaud
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
| <Prev in Thread] |
Current Thread |
[Next in Thread> |
- [Xen-users] Re: iptables, firewall into Dom0,
Arnaud JAYET <=
|
|
|
| |
|
Home