xen-users
Re: [Xen-users] Re: number of ips
Disclaimer: I have never actually tried this, but I don't see any reasons
why it wouldn't work.
You might also be interested reading
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
As far as I'm aware, Xen (at least in Debian, check the xend-config.sxp &
the network scripts it uses, most likely network-bridge & vif-bridge) adds
the approriate iptables entrys to allow traffic to pass from the domains
if you are operating purely on Xen config (if your iptables' FORWARD
policy is otherwise secure. Tho, generally it isn't). vif-bridge script
adds two rules to IPTables when new vif interface is brought up:
-A FORWARD -s $IPOFDOMU/32 -m physdev --physdev-in $DOMUVIF -j ACCEPT
#like IPOFDOMU=52.35.123.250 and DOMUVIF=vif6.0
-A FORWARD -p udp -m physdev --physdev-in $DOMUVIF -m udp --sport 68
--dport 67 -j ACCEPT #For DHCP traffic. Of course in your case this should
be removed (or simply add rule top of the forward chain that blocks port
67 and 68 traffic).
Bassicly what you first need to do is create a ruleset to FORWARD chain
that permits anything from external interface and let Linux decide what to
do with it. You could, of course, also check that they are destined to
legitime IP addresses. After that is working, when domain is created, it
should add the approriate rules automaticly. The last rule (or policy)
should be DROP.
Xen doesn't handle adding IPs to the guest OS, so that is manual work on
the guest OS (of course, there is many ways to automate that (like
installing puppet agent on the guest domains and making Dom0 as
puppetmaster)).
-Eljas Alakulppi
On Sat, 11 Apr 2009 13:52:57 +0300, Anand Gupta <xen.mails@xxxxxxxxx>
wrote:
Hi Vu,
Ofcourse these users are all root users, each domU root user is
maintaining
their themselves.
Can you recommend how to use iptables to achieve this ? The earlier
solutions i seem to have seen are all based on ebtables.
On Sat, Apr 11, 2009 at 5:33 AM, Vu Pham <vu@xxxxxxxxxx> wrote:
Vu Pham wrote:
Anand Gupta wrote:
Hi Vu,
Actually both. I am basically offering vps services. So its critical
for my setup that users use only the ips i have assigned to their
domU. They shouldn't arbitrarily add ip series and start to use them.
Further i have some domU's where i have to add multiple ips for use
inside them.
Are the users just non-root users ? Or are you going to let them access
their domU as root accounts so they have systems with all permissions ?
Non-root users cannot assign ip address, I believe.
I click Send to fast. If they are root users, you can set up iptables on
dom0 to block them according to the IPs you assign to them. If they
assign
more, those IPs cannot get out.
Vu
Vu
On 4/11/09, Vu Pham <vu@xxxxxxxxxx> wrote:
Anand Gupta wrote:
Hi Nick,
Thanks for the reply. What if they are on different subnet ? And
then
what stops a user inside domU to add any ip in that series (as long
as
the ips are assigned and routable to the server) and start to use
it ?
On 4/11/09, Nick Anderson <nick@xxxxxxxxxxxx> wrote:
On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote:
Hmm... So if i have to assign lets say 6 ips to a domU, what is
the
best method to do so ?
Well if they are all on the same subnet and your using standard
bridging and using a linux domU you should be able to just bring
virtual interfaces.
ifconfig eth0:0 192.168.1.2
ifconfig eth0:1 192.168.1.3
ifconfig eth0:1 192.168.1.4
Hi Anand,
I just want to understand more about your problem. Do you want to be
able to have many IPs on domU or do you worry about users trying to
add
too many IPs that can affect the system ?
Thanks,
Vu
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Xen-users] Re: number of ips, (continued)
- Re: [Xen-users] Re: number of ips, Nick Anderson
- Re: [Xen-users] Re: number of ips, Anand Gupta
- Re: [Xen-users] Re: number of ips, mdlabriola
- Re: [Xen-users] Re: number of ips, Nick Anderson
- Re: [Xen-users] Re: number of ips, Anand Gupta
- Re: [Xen-users] Re: number of ips, Vu Pham
- Re: [Xen-users] Re: number of ips, Anand Gupta
- Re: [Xen-users] Re: number of ips, Vu Pham
- Re: [Xen-users] Re: number of ips, Vu Pham
- Re: [Xen-users] Re: number of ips, Anand Gupta
- Re: [Xen-users] Re: number of ips,
Eljas Alakulppi <=
- [SPAM] Re: [Xen-users] Re: number of ips, Anand Gupta
- Re: [SPAM] Re: [Xen-users] Re: number of ips, Eljas Alakulppi
- Re: [SPAM] Re: [Xen-users] Re: number of ips, Anand Gupta
- Re: [SPAM] Re: [Xen-users] Re: number of ips, Vu Pham
- Re: [SPAM] Re: [Xen-users] Re: number of ips, Peter Booth
- Re: [SPAM] Re: [Xen-users] Re: number of ips, Fajar A. Nugraha
- Re: [SPAM] Re: [Xen-users] Re: number of ips, Anand Gupta
- Re: [SPAM] Re: [Xen-users] Re: number of ips, Fajar A. Nugraha
- Re: [SPAM] Re: [Xen-users] Re: number of ips, Anand Gupta
- Re: [SPAM] Re: [Xen-users] Re: number of ips, Vu Pham
|
|
|