[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] firewalls and Xen



On Tue, Feb 14, 2006 at 12:51:16PM -0500, Patrick Wolfe wrote:
> On Tue, 2006-02-14 at 10:44 -0600, Daniel Goertzen wrote:
> > FYI I am implementing a firewall using firehol in a domU.  It has 3 
> > interfaces which are plugged into 3 bridges in my dom0 (internet, lan, 
> > and dmz).  Only 2 of the bridges connect to physical ethernet interfaces 
> > (internet, lan); the other one is meant for routing to dmz domU's only.  
> > My setup is not complete but partial tests are showing good results.
> 
> 
> On the two systems I setup running xen3 and a firewall, I found it made
> much more sense to create a firewall domU with minimal OS, and do all my
> iptables filtering there.  Just like Daniel describes, I created a
> bridge for each physical interface, connect the physical interface and
> firewall domU to each those bridges, then create one additional bridge
> (my XEN DMZ) to which I attached the firewall, dom0's veth0 and all
> other domU's.
> 
> +-------+   +---------+               +-----------+
> | peth0 |---| br0eth0 |       +-------|veth0 dom0 |
> +-------+   +---------+       |       +-----------+
>                  |            |
>             +--eth0--+        |
>             |        |        |
>             |        e        |
>             | fire1  t   +--------+   +-----------+
>             | domU1  h---| br2dmz |---|eth0 domU2 |
>             |        2   +--------+   +-----------+
>             |        |        |
>             +--eth1--+        |
>                  |            |
> +-------+   +---------+       |       +-----------+
> | peth1 |---| br1eth1 |       +-------|eth0 domU3 |
> +-------+   +---------+               +-----------+
>

My setup is similar to above, except I wanted dom0 only accessible on the 
private lan as follows:

+-------+   +---------+    +-----------+
| peth0 |---| br0eth0 |----|eth0 domU2 |
+-------+   +---------+    +-----------+
                 |
            +--eth0--+
            |        |
            | fire1  |
            | domU1  |
            |        |
            +--eth1--+
                 |
+-------+   +---------+    +----------+
| peth1 |---| br1eth1 |----|eth1 dom0 |
+-------+   +---------+    +----------+

The domU's can access anyone without trouble.  Dom0 can successfully ping any 
IP address, but cannot connect to remote services.  I'm accepting all services 
in iptables (firehol), and since no packets are being logged as 
blocked/dropped, I'm reasonably sure the iptables rules are correct.  From 
dom0, attempting a wget of google's homepage (64.233.187.99) shows the 
connection is successful, but the request times out waiting for a response:


~# wget 64.233.187.99
--13:59:05--  http://64.233.187.99/
           => `index.html'
Connecting to 64.233.187.99:80... connected.
HTTP request sent, awaiting response...


The conntrack info in from /proc/net/ip_conntrack on the firewall confirms the 
connection is active (if i'm reading it right):


~# cat ip_conntrack
tcp 6 264 ESTABLISHED src=192.168.1.20 dst=64.233.187.99 sport=1797 dport=80 
packets=8 bytes=940 src=64.233.187.99 dst=<domU1 eth0 IP> sport=80 dport=1797 
packets=1 bytes=44 [ASSURED] use=1


It appears as though the response comes all the way back to eth0 on the 
firewall (again, if i'm reading the above connection info right), but it 
doesn't continue down to dom0.  So my question is, how does one masquerade dom0 
through a domU?  Do forwarding rules need to be in place in dom0 between 
br0eth0 and br1eth1, or can all the iptables work be done in a domU?  For 
reference, here's my bridge setup showing the associated domain interfaces:


~# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              peth0
                                                        vif1.0
                                                        vif2.0
xenbr1          8000.feffffffffff       no              peth1
                                                        vif0.1
                                                        vif1.1

Thanks for any insight,
-Kevin

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.