[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] ebtables tying mac to ip problem

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: David <admin@xxxxxxxxxxx>
Date: Tue, 31 Mar 2009 19:36:34 +0100
Delivery-date: Tue, 31 Mar 2009 11:37:19 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi all.

I'm trying to tie mac addresses to IP addresses to stop ip and mac spoofing on my xen host running debian5.0 amd64. I've been trying to follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600

The DomU's network gets blocked both inward and outward.

I've patched my vif-bridge with the intructions on that page any they seem to be applied correctly.

The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with peth0 as the physical interface.

There are the commands I issued at the start

Paris:~# /sbin/ebtables -N eth0
Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP
Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0
Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0
Paris:~# /sbin/ebtables -P INPUT DROP
Paris:~# /sbin/ebtables -P FORWARD DROP
Paris:~# brctl show
bridge name bridge id STP enabled interfaces
eth0 8000.001b24efefac no peth0
Paris:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: FORWARD, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: eth0, entries: 1, policy: ACCEPT
--log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP

#####################################################################

Now i'll start my DomU

Using config file "/xen/dmarkey/intrepid/intrepid".
Started domain intrepid

Now the rules after i start the domain:

Paris:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: FORWARD, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: eth0, entries: 2, policy: ACCEPT
-i vif8.0 -j vif8.0
--log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP

Bridge chain: vif8.0, entries: 3, policy: ACCEPT
-p IPv4 -s 0:16:3e:c:8f:80 --ip-src 10.0.0.254 -j ACCEPT
-p ARP -s 0:16:3e:c:8f:80 --arp-ip-src 10.0.0.254 --arp-mac-src 0:16:3e:c:8f:80 -j ACCEPT
--log-level notice --log-prefix "vif8.0" --log-ip --log-arp -j DROP

#################################################################################

Log:

[19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01 MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC="" ARP IP SRC="" ARP MAC DST=00:16:3e:0c:8f:80 ARP IP DST=10.0.0.254

Anyone any idea what i'm doing wrong here? Are those instructions out of date? Sorry im new to ebtables.

Thanks.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Prev by Date: Re: [Xen-users] live migration with Xen
Next by Date: [Xen-users] ebtables tying mac to ip problem
Previous by thread: [Xen-users] ebtables tying mac address to ip address problem
Next by thread: [Xen-users] ebtables tying mac to ip problem
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.