[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewalling Xen?


  • To: lists@xxxxxxxxxxxxx
  • From: "Grant McWilliams" <grantmasterflash@xxxxxxxxx>
  • Date: Mon, 15 Dec 2008 09:31:19 -0800
  • Cc: xen-users@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Mon, 15 Dec 2008 09:32:38 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=UzEQs7XHSqhyT7Buxu0z4O/z9IpRVWNeGExZrpcQfXjX6Q6q17VqfdZG91LO5YQUmQ hcFBFCGb4+v/RDSGqgBuv4awpE9x93baQWomjSKj2G7vFganfpvR2RUeyhXi+NXVZaCg WgsvqiKlU0Ka6wcP2fgJfE/kc/vRjs9ZG7MYk=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>


On Mon, Dec 15, 2008 at 12:21 AM, <lists@xxxxxxxxxxxxx> wrote:
Hi all,

I have the following Xen config and I was wondering what you'd recomend as a firewall setup.


Dom0 - 198.175.98.50
Dom1 - 198.175.98.63 (Bridged)
Dom2 - 198.175.98.62 (Bridged)
Dom3 - 198.175.98.61 (Bridged)
Dom4 - 198.175.45.12 (Bridged)

I'm wondering how to setup a firewall for Dom0 when all traffic for the DomUs go 'through' it.  How should the firewall take this into account?

On a side note, I read a more secure way was to have the 'primary' Dom to be a DomU firewall to avoid exploits to the Dom0 but I can't find proper documentation for such a setup.  Can someone point me in the right direction please?

Many thanks.
--
eco


There are multiple ways of accomplishing your goal but I'll tell you what I do.

Put virtually no software on Dom0 outside of the xen stuff and a firewall/IDS

Dom0 has two interfaces
eth0 (physical network connection)
dummy0

To set up dummy0

/etc/sysconfig/network-scripts/ifcfg-dummy0
DEVICE=dummy0
BOOTPROTO=none
>USERCTL=no
IPV6INIT=no
PEERDNS=yes
TYPE=Ethernet
NETMASK=255.255.0.0
IPADDR=192.168.1.254
ARP=yes


Create an internal bridge called br0 for all DomUs - with libvirt (CentOS 5.2) edit /etc/libvirt/qemu/networks/autostart/default.xml
Add dummy0 to bridge br0
xend-config.sxp scripts
(network-script 'network-virtual bridge="br0" bridgeip="192.168.1.1/24" brnet="192.168.1.0/24"')
(vif-script vif-bridge)


This way DomUs can communicate with Dummy0 on Dom0. The only way for traffic to flow from the bridge to the outside world is through Dom0's firewall.

Dom0 firewall

#iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o dummy0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i dummy0 -o eth0 -j ACCEPT


### Port Forwarding ###
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10010 -j DNAT --to 192.168.1.10:22
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10011 -j DNAT --to 192.168.1.11:22
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10012 -j DNAT --to 192.168.1.12:22

This will get you started. It allows any returning traffic from an internal connection (DomU) to be reconnected to the DomU. It also forwards port 10010 from the outside to the domU with the ip address of 192.168.1.10 port 22 etc.. I might have forgotten a few things but I think this will get you going. You can add to this firewall to allow more traffic through or limit traffic out etc... Standard firewall rules apply here.

I'll be writing a real in-depth tutorial for my site grantmcwilliams.com some day in the future. If anyone has ideas to make this more streamlined I'm all ears.

Grant McWilliams

Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.