[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Centos/RHEL/Fedora IPTables Firewalling in dom0/domU + dhclient

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Michael Best <mbest@xxxxxxxxxxxxx>
Date: Tue, 29 Nov 2005 21:21:38 -0700
Delivery-date: Wed, 30 Nov 2005 04:21:53 +0000
List-id: Xen user discussion <xen-users.lists.xensource.com>

All dom0/domUs are Centos 4.2 but the RHEL and Fedora firewalls arealmost identical in base configuration.

dom0 was rebuilt to contain all the firewall modules required for Centos4.2. domU has no firewalling capability.


dom0 is on vif0.0 and domU here is on vif3.0

I suspect that if I move to static IP addresses this won't end up beingmuch of a problem, but it would be nice to add a couple more rules tomake dhcp work. I want to eventually have at the very least "basic"Centos firewall available on my dom0 and domU.

I modified vif-common.sh to allow network traffic in the FORWARD chainwith the default RH Firewall:


--- /etc/xen/scripts/vif-common.sh.orig  2005-11-28 21:11:03.000000000 -0700
+++ /etc/xen/scripts/vif-common.sh       2005-11-28 21:09:58.000000000 -0700
@@ -61,11 +61,13 @@
   else
     local c="-D"
   fi
+  -D FORWARD -j RH-Firewall-1-INPUT
   iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT ||
     [ "$c" == "-D" ] ||
     log err \

"iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPTfailed.

 If you are using iptables, this may affect networking for guest domains."
+  -A FORWARD -j RH-Firewall-1-INPUT
 }

The firewall rules end up being:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

ACCEPT all -- anywhere anywhere PHYSDEVmatch --physdev-in vif3.0

RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp

ACCEPT all -- anywhere anywhere stateRELATED,ESTABLISHEDACCEPT tcp -- anywhere anywhere state NEWtcp dpt:sshLOG all -- anywhere anywhere LOG levelwarningREJECT all -- anywhere anywhere reject-withicmp-host-prohibited



starting the dom0 dhclient results in this firewall log on dom0
----
# dhclient eth0

Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0PHYSOUT=vif3.0 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0PHYSOUT=peth0 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=vif0.0PHYSOUT=peth0 MAC=ff:ff:ff:ff:ff:ff:00:01:02:be:88:3f:08:00 SRC=0.0.0.0DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDPSPT=68 DPT=67 LEN=308


starting the domU dhclient results in this firewall log on dom0
----
# dhclient eth0

Nov 29 21:11:45 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=vif3.0PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:16:3e:0f:9d:70:08:00 SRC=0.0.0.0DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDPSPT=68 DPT=67 LEN=308Nov 29 21:11:45 xen-dom0 kernel: IN=eth0 OUT= PHYSIN=vif3.0PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:16:3e:0f:9d:70:08:00 SRC=0.0.0.0DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDPSPT=68 DPT=67 LEN=308Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0PHYSOUT=vif3.0 SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0PHYSOUT=vif0.0 SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=peth0PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:13:10:2d:93:b2:08:00SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556


-Mike

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Prev by Date: Re: [Xen-users] Can't open a shell in Xen unstable
Next by Date: Re: [Xen-users] so close! just an iptables rule away.....?
Previous by thread: [Xen-users] How should I use ppp dialup in domU ???
Next by thread: [Xen-users] xen 3.0 Error: Device 2049 (vbd) could not be connected. Backend device not found.
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.