WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Sucessful IPtables config on Dom0 anyone?

To: "Ian Tobin" <itobin@xxxxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: RE: [Xen-users] Sucessful IPtables config on Dom0 anyone?
From: "Gary W. Smith" <gary@xxxxxxxxxxxxxxx>
Date: Fri, 16 Feb 2007 07:50:30 -0800
Delivery-date: Fri, 16 Feb 2007 07:50:37 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <E0E43F8F0962AD4C8A1D6CE8ED5EDE3F130E54@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <E0E43F8F0962AD4C8A1D6CE8ED5EDE3F130E54@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcdR266cyGkuPsFCTNm/LS495BWiHQABSdZQ
Thread-topic: [Xen-users] Sucessful IPtables config on Dom0 anyone?

Ian,

 

Here is what we did.  We tweaked the vif-common.sh script and set the automated vif entries to be in a separate table.  Then we created our own iptables ruleset that contained this new table.  That way when a xen instance is created or destroyed it modifies it’s own table and all of your rules are still in place.  As you can see in the grep, I have added the VIF table.  The iptables-save is below that showing how it’s added allowing you to add your own rules.  In my case I also have a custom bridge script in place as this machine also has the firewall instance on it (my home office) but this script doesn’t modify iptables.  I had to drop all incoming traffic on eth1 (but forward is okay) otherwise Comcast cable flips out.

 

[root@xen09 scripts]# grep iptables vif-common.sh

  iptables -t filter "$c" VIF -m physdev --physdev-in "$vif" "$@" -j ACCEPT \

     "iptables -t filter $c VIF -m physdev --physdev-in $vif $@ -j ACCEPT failed.

If you are using iptables, this may affect networking for guest domains."

# Add or remove the appropriate entries in the iptables.  With antispoofing

  # Check for a working iptables installation.  Checking for the iptables

  # modules installed.  If iptables is not working, then there's no need to do

  if ! iptables -L -n >&/dev/null

 

[root@xen09 ~]# iptables-save

# Generated by iptables-save v1.3.1 on Fri Feb 16 07:45:10 2007

*filter

:INPUT ACCEPT [6461319:1044613875]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2857055:11286763964]

:VIF - [0:0]

-A INPUT -m physdev  --physdev-in eth1 -j LOG --log-prefix "FW_INPUT: " --log-level 6

-A INPUT -m physdev  --physdev-in eth1 -j DROP

-A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT

-A FORWARD -i xenbr1 -o xenbr1 -j ACCEPT

-A FORWARD -i lo -j ACCEPT

-A FORWARD -j VIF

-A FORWARD -j LOG --log-prefix "FW_FOWARD: " --log-level 6

-A VIF -m physdev  --physdev-in vif2.0 -j ACCEPT

-A VIF -m physdev  --physdev-in vif3.0 -j ACCEPT

-A VIF -m physdev  --physdev-in vif4.0 -j ACCEPT

-A VIF -m physdev  --physdev-in vif5.0 -j ACCEPT

-A VIF -m physdev  --physdev-in vif7.0 -j ACCEPT

-A VIF -m physdev  --physdev-in vif10.0 -j ACCEPT

-A VIF -m physdev  --physdev-in vif28.0 -j ACCEPT

-A VIF -m physdev  --physdev-in vif29.0 -j ACCEPT

-A VIF -m physdev  --physdev-in vif29.1 -j ACCEPT

-A VIF -m physdev  --physdev-in vif31.0 -j ACCEPT

-A VIF -m physdev  --physdev-in vif32.0 -j ACCEPT

COMMIT

 

 

 

From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ian Tobin
Sent: Friday, February 16, 2007 7:04 AM
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Sucessful IPtables config on Dom0 anyone?

 

Hi,

 

we are trying to secure our Xen boxes with IPtables on Dom0 but we always seem to get cut off and

can only cure it be rebooting the box.

 

Has anyone got a sucessful config they can share that secures the server with one nic?

 

We are using Xen 3.0.4

 

thanks

 

Ian

 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>