[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Firewalling Xen?

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Simon Hobson <linux@xxxxxxxxxxxxxxxx>
Date: Mon, 15 Dec 2008 19:54:51 +0000
Delivery-date: Mon, 15 Dec 2008 11:55:52 -0800
List-id: Xen user discussion <xen-users.lists.xensource.com>

lists@xxxxxxxxxxxxx wrote:

I have the following Xen config and I was wondering what you'drecomend as a firewall setup.
Dom0 - 198.175.98.50
Dom1 - 198.175.98.63 (Bridged)
Dom2 - 198.175.98.62 (Bridged)
Dom3 - 198.175.98.61 (Bridged)
Dom4 - 198.175.45.12 (Bridged)
I'm wondering how to setup a firewall for Dom0 when all traffic forthe DomUs go 'through' it. How should the firewall take this intoaccount?
On a side note, I read a more secure way was to have the 'primary'Dom to be a DomU firewall to avoid exploits to the Dom0 but I can'tfind proper documentation for such a setup. Can someone point me inthe right direction please?

I'll do the second one first as a) it's shorter, and b) if I do it atthe end it's likely to get missed !

I think what you are referring to is the practice of making a DomUhave the only connection to the outside, and for it to run as a twoport firewall. You can either configure a second bridge to get theexternal traffic to the DomU, or hide the PCI device and make it anative hardware device available only to the DomU - the latter iswhat I have at home, and also I believe what Tom Eastep (author ofthe Shorewall package) runs for his Shorewall hosting.

For a firewall, I can recommend Shorewall (http://www.shorewall.net)which I believe takes a good position between low level (nativeiptables) and too restrictive.



Now, to the first bit :

I have another server that is setup something similar to your setup.I hand crafted an init file to configure a few iptables rules toprotect Dom0 - it's pointless trying to run a full firewall as a) I'mnot sure anyone really understands networking fully under Xen, and b)the network keeps changing when guests start or stop.

My init script is (it actually has more as the machine has multiplenetworks, but I've ripped out all but one) :


#! /bin/sh

### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $networking
# Required-Stop:     $networking

# Should-Start:# Default-Start: 2 3 4 5

# Default-Stop:      0 1 6
# Short-Description: Firewall - home grown bash/iptables script

# Description: Script to build basic firewall directly with/sbin/iptables

### END INIT INFO

set -e


. /lib/lsb/init-functions

ExtAdd=a.b.c.d

case "$1" in
  start)
        log_daemon_msg "Starting firewall"

        # Clear /sbin/iptables first
        /sbin/iptables -F

        # Set traffic not addressed to us to no-track
        # t:raw c:prerouting

/sbin/iptables -t raw -A PREROUTING --in-interface ethext--dst ! $ExtAdd -j NOTRACK



        # filter:inbound
        # t:filter c:inbound-ext
        /sbin/iptables -t filter --new inbound-ext

        # allow established streams (ie outbound initiated connections)

/sbin/iptables -t filter -A inbound-ext -m state --stateRELATED,ESTABLISHED -j ACCEPT


        # allow icmp

/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -picmp --icmp-type 8 -j ACCEPT/sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8-m limit --limit 6/minute --limit-burst 10 -j ACCEPT

        /sbin/iptables -t filter -A inbound-ext -p icmp --icmp-type 8 -j DROP
        /sbin/iptables -t filter -A inbound-ext -p icmp -j ACCEPT

        # allow ssh

/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -ptcp --dport 22 -j LOG --log-level info --log-prefix "FW net2fw"/sbin/iptables -t filter -A inbound-ext --src a.b.c.0/29 -ptcp --dport 22 -j ACCEPT


        # drop everything else
        /sbin/iptables -t filter -A inbound-ext -j DROP


        # filter: send inbound packets to us to chain inbound-[ext|bak|int]
        # t:filter c:INPUT
        # policy allow
        /sbin/iptables -t filter -A INPUT --dst $ExtAdd -j inbound-ext

        log_end_msg 0
        ;;
  stop)
        log_daemon_msg "Stopping firewall"
        /sbin/iptables -F
        /sbin/iptables -F -t raw
        /sbin/iptables -X inbound-ext
        log_end_msg 0
        ;;

  *)
        echo "Usage: /etc/init.d/firewall {start|stop}"
        exit 1
esac

exit 0


Now, what I believe this does is :

Not track any traffic coming in on the external interface that isn'taddressed to us.

Permits certain inbound traffic.
Blocks everything else.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [Xen-users] Firewalling Xen?
  - From: Grant McWilliams

References:
- [Xen-users] Firewalling Xen?
  - From: lists

Prev by Date: [Xen-users] how to limit network bandwidth dynamically
Next by Date: Re: [Xen-users] Firewalling Xen?
Previous by thread: Re: [Xen-users] Firewalling Xen?
Next by thread: Re: [Xen-users] Firewalling Xen?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.