[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] IP blocking


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Andy Smith <andy@xxxxxxxxxxxxxx>
  • Date: Mon, 6 Aug 2007 15:18:53 +0000
  • Delivery-date: Mon, 06 Aug 2007 08:16:51 -0700
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc

Hi,

On Mon, Aug 06, 2007 at 01:58:46PM +0100, Daniel P. Berrange wrote:
> On Mon, Aug 06, 2007 at 02:18:20PM +0200, shacky wrote:
> > How I can assing a given IP address to a given domU and force the user
> > of that domU to use that IP address and not all other?
> > I don't want the user to change the IP address of his virtual machine
> > in /etc/network/interfaces with one ore more IP addresses which are
> > not assigned to him.
> 
> In the dom0 make sure the kernel has
> 
>    net.bridge.bridge-nf-call-iptables = 1
> 
> This ensures that all traffic to/from the guest passes through the iptables
> rules in Dom0. You can then filter traffic from individual vifN.M interfaces
> associated with the guest to make sure its only sending data with the valid
> predefined IP address and MAC address you gave it.

You will most likely want to use ebtables to make sure that they do
not ARP for others IPs as well (iptables would stop the traffic
flowing but the ARP would still cause havoc on your network).

Cheers,
Andy

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.