[SPAM] Re: [Xen-users] Re: number of ips

[Anand Gupta <xen.mails@xxxxxxxxx>]

I tried to use the antispoof feature thinking it should do the trick.

Modified /etc/xen/xend-config.sxp and modified it as follows:

(network-script 'network-bridge antispoof=yes')

Restarted, xen, and then checked the iptables --list. I don't see the DROP rules added.

Here is iptables before start of domU

****************************************************************************************************************

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 

ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 

ACCEPT     all  --  192.168.122.0/24     anywhere            

ACCEPT     all  --  anywhere             anywhere            

REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination      

****************************************************************************************************************

Here it is after domU was started

****************************************************************************************************************

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 

ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 

ACCEPT     all  --  192.168.122.0/24     anywhere            

ACCEPT     all  --  anywhere             anywhere            

REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

ACCEPT     all  --  anywhere             anywhere            PHYSDEV match --physdev-in vif6.0 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination      

****************************************************************************************************************

The only difference between both the outputs is

>ACCEPT     all  --  anywhere             anywhere            PHYSDEV match --physdev-in vif6.0

Any ideas why this is happening ?

P.S. : If i am wrong in thinking that the above will resolve the problem of users binding ips of their domU and using them, please correct me.

--
regards,

Anand Gupta

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users