[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Network security


You should have iptables compiled to the kernel in Dom-0 with physdev
match support.
Set the default policy for FORWARD to DROP
Add a specific rule in Dom-0 for each ip address to forward packets for
that ip addrss only through the interface for that Dom-U. vifname
parameter in Dom-U config file would be good in this circumstance.
Suppose to create a Dom-U named domain1 with vifname domai1  - set the
below rules.

iptables -P FORWARD DROP
iptables -A FORWARD -s <ipaddress for that domain> -m physdev
--physdev-in domain1 -j ACCEPT
iptables -A FORWARD -d <ipaddress for that domain> -m physdev
--physdev-out domain1 -j ACCEPT

If you want to bind mulitiple ips for one dom-u you should add a rule
like this for each ip address,


Andrew W. wrote:

> Hello all,
> New to the list, so please bear with me.  I'm trying to configure a
> bunch of domU's that will be controlled by various untrusted
> sysadmins.  I want to prevent them from attempting to steal each
> other's IP addresses.  This won't need RFC1918 address space; I have
> globally routable IPs.  My requirements are simply one IP per domU,
> with the ability to route additional blocks (maybe a /29 or /30) to
> individual domU's as necessary.
> I'm not opposed to using iptables or any other such trickery to
> accomplish this.  Comments?
> Regards,
> Andrew Wang
>Xen-users mailing list

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.