[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Re: iptables, firewall into Dom0



Sébastien Cramatte wrote :

I've setup Xen using vlan. I've different bridge per vlan
Each VM have it's own iptables script I've got various type of VM : http, ldap, mysql, nagios, ...

My question is how can I protect the Dom0 without block all the traffic
from DomU ...
I require restrictive rules with at least these :

INPUT:
ssh (tcp)
snmp (udp)
snmptrap (udp)
ping (icmp)

OUTPUT
http  (tcp)
ssh  (tcp)
dns  (udp)


Regards

Hello Sébastien,

i had the same problem for protecting dom0 with iptables without blocking domU's traffic. I think it's due to the bridging method wich includes dom0 and domU's network interfaces into the bridge, so the physical interface (peth0) is used for dom0 traffic and domU's traffic into the bridge.


Here's some "tips" :

1) using ebtables or 'physdev' module of iptables, like said in some posts in the mailing list. But my tries with phydev just allow or block all kind of traffic, i failed separating dom0's traffic from domU's traffic.


2) if you have 2 NIC, you can assign eth0 to dom0 and assign eth1 to Xen bridge(s) for the domU's (one bridge per vlan). eth0 is device to the default gateway for incoming/outgoing traffic . I did this for a Xeon server with 2 Gbit NIC and it works fine, i could protect dom0 with iptables.


Perhaps (not yet tested), if you've only one nic, you could use eth0 for dom0 and a dummy NIC for the Xen bridge(s).


3) I also tested routing method (in only one vlan at present but i plan to test routing method with several vlans), it works well and i can protect dom0 with iptables. to let routing method work, you'll have to set ip_forwarding in dom0 and you also have to do proxy_arp in dom0 for the domU's dor returned packets destinated to domU's

1) replace in xen-config.sxp

(network-script network-route)
(vif script vif-route)

- network-route juste enable ip_forwarding in dom0

# cat /proc/sys/net/ipv4/ip_forward
1

- vif-route create a vif<domU#id>.0 in dom0 and associate it with eth0 of domU and it creates a static route between dom0 to domU via vif<domU#id>.0

to let traffic coming from the default gateway to a domU, set proxy_arp into dom0, because the gw doesn't know domU's mac addresses


# sysctl -w net.ipv4.conf.eth0.proxy_arp=1

or

# echo "1" > /proc/sys/net/ipv4/conf/eth0/proxy_arp

traffic for the dom0 goes into INPUT chain and traffic for domU's goes into FORWARD chain. If your default policy is ACCEPT for FORWARD chain it will work (of course, you'll have to use local iptables in each domU)


But like you i'am still interested in some iptables samples config with physdev module for protecting dom0 with bridging method without filtering domU's traffic. If anybody have this, it would be fine....

If i said "some stupid things" in this reply, please don't hesitate to correct.


Some usefuls threads that helps me :

http://lists.xensource.com/archives/html/xen-users/2005-04/msg00268.html
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00030.html



--
Arnaud

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.