WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Firewalling Xen?

To: lists@xxxxxxxxxxxxx
Subject: Re: [Xen-users] Firewalling Xen?
From: "Grant McWilliams" <grantmasterflash@xxxxxxxxx>
Date: Mon, 15 Dec 2008 09:31:19 -0800
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 15 Dec 2008 09:32:38 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=bG01X3JgYg+S0HoTAX2ScT8/uOq+yCUi3fD3cosiXdw=; b=tNtFi1AQGECMTJKVILLDxGJPvsntZR0mINdedKWP/pTvieJdAwzmXOwrMUkdxr3EZ1 Ti5ypLkpSBZJQ5FbxMpamdTgEo5rXHHiqYXK1zmVX3HPTR7yn2wvGbec5Cnv8EHSk/Pd dzJrQbwCmsrGEGfi5o/zU5fdAep6IenWVeBe4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=UzEQs7XHSqhyT7Buxu0z4O/z9IpRVWNeGExZrpcQfXjX6Q6q17VqfdZG91LO5YQUmQ hcFBFCGb4+v/RDSGqgBuv4awpE9x93baQWomjSKj2G7vFganfpvR2RUeyhXi+NXVZaCg WgsvqiKlU0Ka6wcP2fgJfE/kc/vRjs9ZG7MYk=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <14915851.141229329317606.JavaMail.root@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <33443850.121229329068567.JavaMail.root@xxxxxxxxxxxxxxxxxx> <14915851.141229329317606.JavaMail.root@xxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

On Mon, Dec 15, 2008 at 12:21 AM, <lists@xxxxxxxxxxxxx> wrote:
Hi all,

I have the following Xen config and I was wondering what you'd recomend as a firewall setup.


Dom0 - 198.175.98.50
Dom1 - 198.175.98.63 (Bridged)
Dom2 - 198.175.98.62 (Bridged)
Dom3 - 198.175.98.61 (Bridged)
Dom4 - 198.175.45.12 (Bridged)

I'm wondering how to setup a firewall for Dom0 when all traffic for the DomUs go 'through' it.  How should the firewall take this into account?

On a side note, I read a more secure way was to have the 'primary' Dom to be a DomU firewall to avoid exploits to the Dom0 but I can't find proper documentation for such a setup.  Can someone point me in the right direction please?

Many thanks.
--
eco


There are multiple ways of accomplishing your goal but I'll tell you what I do.

Put virtually no software on Dom0 outside of the xen stuff and a firewall/IDS

Dom0 has two interfaces
eth0 (physical network connection)
dummy0

To set up dummy0

/etc/sysconfig/network-scripts/ifcfg-dummy0
DEVICE=dummy0
BOOTPROTO=none
>USERCTL=no
IPV6INIT=no
PEERDNS=yes
TYPE=Ethernet
NETMASK=255.255.0.0
IPADDR=192.168.1.254
ARP=yes


Create an internal bridge called br0 for all DomUs - with libvirt (CentOS 5.2) edit /etc/libvirt/qemu/networks/autostart/default.xml
Add dummy0 to bridge br0
xend-config.sxp scripts
(network-script 'network-virtual bridge="br0" bridgeip="192.168.1.1/24" brnet="192.168.1.0/24"')
(vif-script vif-bridge)


This way DomUs can communicate with Dummy0 on Dom0. The only way for traffic to flow from the bridge to the outside world is through Dom0's firewall.

Dom0 firewall

#iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o dummy0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i dummy0 -o eth0 -j ACCEPT


### Port Forwarding ###
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10010 -j DNAT --to 192.168.1.10:22
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10011 -j DNAT --to 192.168.1.11:22
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10012 -j DNAT --to 192.168.1.12:22

This will get you started. It allows any returning traffic from an internal connection (DomU) to be reconnected to the DomU. It also forwards port 10010 from the outside to the domU with the ip address of 192.168.1.10 port 22 etc.. I might have forgotten a few things but I think this will get you going. You can add to this firewall to allow more traffic through or limit traffic out etc... Standard firewall rules apply here.

I'll be writing a real in-depth tutorial for my site grantmcwilliams.com some day in the future. If anyone has ideas to make this more streamlined I'm all ears.

Grant McWilliams

Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>