This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Re: number of ips

Disclaimer: I have never actually tried this, but I don't see any reasons why it wouldn't work. You might also be interested reading http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html

As far as I'm aware, Xen (at least in Debian, check the xend-config.sxp & the network scripts it uses, most likely network-bridge & vif-bridge) adds the approriate iptables entrys to allow traffic to pass from the domains if you are operating purely on Xen config (if your iptables' FORWARD policy is otherwise secure. Tho, generally it isn't). vif-bridge script adds two rules to IPTables when new vif interface is brought up: -A FORWARD -s $IPOFDOMU/32 -m physdev --physdev-in $DOMUVIF -j ACCEPT #like IPOFDOMU= and DOMUVIF=vif6.0 -A FORWARD -p udp -m physdev --physdev-in $DOMUVIF -m udp --sport 68 --dport 67 -j ACCEPT #For DHCP traffic. Of course in your case this should be removed (or simply add rule top of the forward chain that blocks port 67 and 68 traffic).

Bassicly what you first need to do is create a ruleset to FORWARD chain that permits anything from external interface and let Linux decide what to do with it. You could, of course, also check that they are destined to legitime IP addresses. After that is working, when domain is created, it should add the approriate rules automaticly. The last rule (or policy) should be DROP.

Xen doesn't handle adding IPs to the guest OS, so that is manual work on the guest OS (of course, there is many ways to automate that (like installing puppet agent on the guest domains and making Dom0 as puppetmaster)).

-Eljas Alakulppi

On Sat, 11 Apr 2009 13:52:57 +0300, Anand Gupta <xen.mails@xxxxxxxxx> wrote:

Hi Vu,
Ofcourse these users are all root users, each domU root user is maintaining
their themselves.

Can you recommend how to use iptables to achieve this ? The earlier
solutions i seem to have seen are all based on ebtables.

On Sat, Apr 11, 2009 at 5:33 AM, Vu Pham <vu@xxxxxxxxxx> wrote:

Vu Pham wrote:

Anand Gupta wrote:

Hi Vu,

Actually both. I am basically offering vps services. So its critical
for my setup that users use only the ips i have assigned to their
domU. They shouldn't arbitrarily add ip series and start to use them.
Further i have some domU's where i have to add multiple ips for use
inside them.

Are the users just non-root users ? Or are you going to let them access
their domU as root accounts so they have systems with all permissions ?

Non-root users cannot assign ip address, I believe.

I click Send to fast. If they are root users, you can set up iptables on
dom0 to block them according to the IPs you assign to them. If they assign
more, those IPs cannot get out.



On 4/11/09, Vu Pham <vu@xxxxxxxxxx> wrote:

Anand Gupta wrote:

Hi Nick,

Thanks for the reply. What if they are on different subnet ? And then what stops a user inside domU to add any ip in that series (as long as the ips are assigned and routable to the server) and start to use it ?

On 4/11/09, Nick Anderson <nick@xxxxxxxxxxxx> wrote:

On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote:

Hmm... So if i have to assign lets say 6 ips to a domU, what is the
best method to do so ?

 Well if they are all on the same subnet and your using standard
bridging and using a linux domU you should be able to just bring
virtual interfaces.

ifconfig eth0:0
ifconfig eth0:1
ifconfig eth0:1

 Hi Anand,

I just want to understand more about your problem. Do you want to be
able to have many IPs on domU or do you worry about users trying to add
too many IPs that can affect the system ?



Xen-users mailing list

Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

Xen-users mailing list