Xen project Mailing List

[Xen-users] ebtables tying mac to ip problem

From: David Markey <dmarkey@xxxxxxxxxxxxxxxxx>

Date: Tue, 31 Mar 2009 19:39:31 +0100

Delivery-date: Tue, 31 Mar 2009 11:42:56 -0700

List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi all. I'm trying to tie mac addresses to IP addresses to stop ip and mac spoofing on my xen host running debian5.0 amd64. I've been trying to follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600 <http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600> The DomU's network gets blocked both inward and outward. I've patched my vif-bridge with the instructions on that page any they seem to be applied correctly. The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with peth0 as the physical interface. There are the commands I issued at the start Paris:~# /sbin/ebtables -N eth0 Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0 Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0 Paris:~# /sbin/ebtables -P INPUT DROP Paris:~# /sbin/ebtables -P FORWARD DROP Paris:~# brctl show bridge name bridge id STP enabled interfaces eth0 8000.001b24efefac no peth0 Paris:~# ebtables --list Bridge table: filter Bridge chain: INPUT, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: FORWARD, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: eth0, entries: 1, policy: ACCEPT --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP ############################## ####################################### Now i'll start my DomU Using config file "/xen/dmarkey/intrepid/intrepid". Started domain intrepid Now the rules after i start the domain: Paris:~# ebtables --list Bridge table: filter Bridge chain: INPUT, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: FORWARD, entries: 2, policy: DROP --logical-in eth0 -j eth0 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: eth0, entries: 2, policy: ACCEPT -i vif8.0 -j vif8.0 --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP Bridge chain: vif8.0, entries: 3, policy: ACCEPT -p IPv4 -s 0:16:3e:c:8f:80 --ip-src 10.0.0.254 -j ACCEPT -p ARP -s 0:16:3e:c:8f:80 --arp-ip-src 10.0.0.254 --arp-mac-src 0:16:3e:c:8f:80 -j ACCEPT --log-level notice --log-prefix "vif8.0" --log-ip --log-arp -j DROP ############################## ################################################### Log: [19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01 MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=00:e0:81:71:9b:01 ARP IP SRC=10.0.0.6 ARP MAC DST=00:16:3e:0c:8f:80 ARP IP DST=10.0.0.254 Anyone any idea what i'm doing wrong here? Are those instructions out of date? Sorry im new to ebtables. Thanks. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.