Xen project Mailing List

Re: [Xen-devel] Iptables

To: "Xiaofang Chen" <xiachen@xxxxxxxxxxx>

From: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>

Date: Mon, 21 Jun 2004 19:26:06 +0100

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Ian.Pratt@xxxxxxxxxxxx

Delivery-date: Mon, 21 Jun 2004 19:27:52 +0100

List-id: List for Xen developers <xen-devel.lists.sourceforge.net>

> From the paper "Isolation of Shared Network Resouces in > XenoServers", it seems that Xen support IPTABLES for each guest > OS and dom0. Can someone tell me how to use it in Xen? That is, > how to set those rules for each guest OS? In the xeno-unstable tree, the guest OS's virtual 'back-end' interfaces appear as devices in domain0 (e.g. vif1.0 is domain 1 vif 0). The normal way to configure them is to use brctl (from the bridge-utils package) to do L2 bridging onto the real network interface. If you want to do iptables filtering you'll need to installed the "ebtables-bridged-nf" patch. http://heanet.dl.sourceforge.net/sourceforge/ebtables/ebtables-brnf-5_vs_2.4.25.diff.gz The patch will apply to Linux 2.4.26 with fuzz factor 3 (-F3). The only extra kernel config option you'll probably want to enable is the IP_NF_MATCH_PHYSDEV Alternatively, you might be able to do what you want just using ebtables rather than iptables, in which case you should enable BRIDGE_NF_EBTABLES etc. You'll need a relatively recent version of iptables to support the physdev option -- the default RH9 1.2.7a doesn't support it. Once you're running you new domain 0 kernel you'll be able to configure things in the normal way. For example to restrict a domain to a specific IP address: iptables -P FORWARD DROP iptables -A FORWARD -m physdev --physdev-in vif1.0 -s 129.239.38.221 -j ACCEPT iptables -A FORWARD -m physdev --physdev-out vif1.0 -d 129.239.38.221 -j ACCEPT Over time, we'll be adding stuff to the management tools to make configuring IP address restrictions etc easier. Also, I'll add something to the toplevel Makefile to make installing the ebtables-bridged-nf patch the default for domain 0 kernels, as I think many people will want it. The patch is already in mainstream 2.6, so when we make the switch we'll be able to drop it. Ian ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel

References:

[Xen-devel] Iptables
- From: Xiaofang Chen

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.