WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] ebtables tying mac to ip problem

from [David Markey] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] ebtables tying mac to ip problem
From: David Markey <dmarkey@xxxxxxxxxxxxxxxxx>
Date: Tue, 31 Mar 2009 19:39:31 +0100
Delivery-date: Tue, 31 Mar 2009 11:42:56 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.19 (X11/20081227) 
Hi all.

I'm trying to tie mac addresses to IP addresses to stop ip and mac
spoofing on my xen host running debian5.0 amd64. I've been trying to
follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600
<http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600>

The DomU's network gets blocked both inward and outward.

I've patched my vif-bridge with the instructions on that page any they
seem to be applied correctly.

The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with
peth0 as the physical interface.

There are the commands I issued at the start

Paris:~# /sbin/ebtables -N eth0
Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0"
--log-ip --log-arp -j DROP
Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0
Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0
Paris:~# /sbin/ebtables -P INPUT DROP
Paris:~# /sbin/ebtables -P FORWARD DROP
Paris:~# brctl show
bridge name bridge id    STP enabled  interfaces
eth0    8000.001b24efefac no      peth0
Paris:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: FORWARD, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: eth0, entries: 1, policy: ACCEPT
--log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP

############################## #######################################

Now i'll start my DomU

Using config file "/xen/dmarkey/intrepid/intrepid".
Started domain intrepid


Now the rules after i start the domain:


Paris:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: FORWARD, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: eth0, entries: 2, policy: ACCEPT
-i vif8.0 -j vif8.0
--log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP

Bridge chain: vif8.0, entries: 3, policy: ACCEPT
-p IPv4 -s 0:16:3e:c:8f:80 --ip-src 10.0.0.254 -j ACCEPT
-p ARP -s 0:16:3e:c:8f:80 --arp-ip-src 10.0.0.254 --arp-mac-src
0:16:3e:c:8f:80 -j ACCEPT
--log-level notice --log-prefix "vif8.0" --log-ip --log-arp -j DROP


##############################
###################################################

Log:

[19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01
MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800,
OPCODE=2 ARP MAC SRC=00:e0:81:71:9b:01  ARP IP SRC=10.0.0.6 ARP MAC
DST=00:16:3e:0c:8f:80  ARP IP DST=10.0.0.254


Anyone any idea what i'm doing wrong here? Are those instructions out of
date? Sorry im new to ebtables.


Thanks.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-users] ebtables tying mac to ip problem, David
Next by Date:  Re: [Xen-users] Access control for the xm command, Grant McWilliams
Previous by Thread:  [Xen-users] ebtables tying mac to ip problem, David
Next by Thread:  [Xen-users] Ubuntu Xen Windows Question, Chris Swanson
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy