|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] xen (3.0.3_0) + iptables in dom0
Hello, I have little trouble with using iptables in dom0 with Xen 3.0.i allow all OUTPUT and FORWARD in default iptables policy, the default policy for INPUT chain is DROP except for ssh in domO from fixed IPs in network 10.131.12.0/24 I've the following iptables script and network configuration (I'm using Debian Sarge) : #!/bin/sh # /etc/network/if-pre-up.d/iptables-start iptables=$(which iptables) $iptables -F $iptables -P INPUT DROP $iptables -P FORWARD ACCEPT $iptables -P OUTPUT ACCEPT $iptables -A INPUT -i lo -j ACCEPT $iptables -A INPUT -p icmp -j ACCEPT $iptables -A INPUT -p igmp -j ACCEPT $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # SSH $iptables -A INPUT -p tcp -s 10.131.12.0/24 --dport 22 -j ACCEPT ---------With this iptables configuration, i can't go out from dom0 (no ping, no ssh, no http for apt-get update/upgrade) if i set the INPUT chain default policy to ACCEPT, it works of course (e.g. like no iptables ptrotection at all)... I wonder why the output stream from dom0 is blocked (default policy = ACCEPT) ? Does the output stream initiated by dom0 re-enter into any INPUT chain due to the xen bridge or the renaming of eth0 in peth0 ? it's a little bit cloudy for me...
Does anybody have a sample iptables script for protecting a dom0 machine ?
My network configuration for the dom0 :
eth0 Lien encap:Ethernet HWaddr 00:30:48:68:20:18
inet adr:10.131.12.5 Bcast:10.131.255.255 Masque:255.255.0.0
adr inet6: fe80::230:48ff:fe68:2018/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:657163 errors:0 dropped:0 overruns:0 frame:0
TX packets:10908 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:58172954 (55.4 MiB) TX bytes:1811066 (1.7 MiB)
lo Lien encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
peth0 Lien encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:664303 errors:0 dropped:0 overruns:0 frame:0
TX packets:11059 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:61532959 (58.6 MiB) TX bytes:1873537 (1.7 MiB)
Adresse de base:0x2000 Mémoire:da200000-da220000
vif0.0 Lien encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:11009 errors:0 dropped:0 overruns:0 frame:0
TX packets:662689 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:1825551 (1.7 MiB) TX bytes:58733912 (56.0 MiB)
xenbr0 Lien encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:646462 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:46504320 (44.3 MiB) TX bytes:0 (0.0 b)
# route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use
Iface
localnet * 255.255.0.0 U 0 0 0 eth0 default 10.131.255.254 0.0.0.0 UG 0 0 0 eth0 Thank you for your help. -- Arnaud _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |