[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Filtering traffic to Xen guest machines


  • From: javier.prieto.ext@xxxxxxxxxxxxxxxxxxx
  • Date: Fri, 8 Feb 2008 00:34:40 +0100 (CET)
  • Delivery-date: Mon, 18 Feb 2008 09:28:06 -0800
  • Importance: Normal
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Hello.
I've just started using Xen. My configuration is plain simple: I've got a
Centos 5 Host with Xen and a single virtual machine which also uses Centos 5.
Both of them have real IPs of the same real network.

Now, I have to delegate the server administration to an external company which
I don't trust, so I'd want to filter any connection started by the virtual
machine.

The idea is that everyone outside can connect that virtual IP, but any try of
connection from the Guest OS, which isn't part of an already established
communication, is dropped.

As far as I've seen, I should do it with EBtables, as the guest IP address is
part of a bridge in the host machine. In fact, I've tried using simple
restrictions, using --ip-source or --ip-destination, and it works.

The point is that ebtables doesn't have an option to check for SYN headers, so
I can't check if a package is trying to establish a new communication or not.
I can do it with IPtables, but it doesn't work as I'm trying to filter traffic
within a bridge.

Can anybody please give me some advice? Thanks in advance, and sorry for my
bad English :)


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.