[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] virtual mirror port on xen

To: xen-users@xxxxxxxxxxxxxxxxxxx
From: Michael Stegk <lists.michael@xxxxxxxxx>
Date: Tue, 29 Jun 2010 08:21:55 +0200
Delivery-date: Mon, 28 Jun 2010 23:25:28 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

Hello,

I try to get an Snortbased IDS running on a DomU, the IDS need to beable to intercept all packets regarding communication between DomUsand between the Dom0 and the physical network. It is obviouslyimportend that other DomUs receive only their dedicated packets. Thisis pretty much known as a mirror port on "normal" switches.

I know that snort related threads had been discussed on this listalready and i like to contribute my progress so far.

I got a basic idea from here http://support.citrix.com/article/CTX116204.The Document describes how to put the "virtual switch" into a Hub bysetting the aging of of the bridge to 0.


#brctl setageing eth0 0

That does the job, after this the domU receives all Packets as Idesired.Unfortunately all DomUs get those Packets so I tried to solve thiswith ebtables.


Scenario:

I run xen 3.2.1 on debian lenny (Linux 2.6.26-2-xen-amd64 )

these are the VMs:

Dom0
DomU A with IDS
DomU B normal VM
DomU C normal VM without network connection

DomU A should be able to intercept communication between B and C

I worked out the following ebtables rules:

ebtables -P FORWARD DROP

ebtables -A FORWARD -d 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -o vif5.0 -j ACCEPT # DOM B MAC & vifebtables -A FORWARD -s 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -i vif5.0 -j ACCEPT # DOM B MAC & vif

ebtables -A FORWARD -o vif5.0 -j DROP

ebtables -A FORWARD -o vif6.0 -j ACCEPT                 # Dom A vif
ebtables -A FORWARD -i vif6.0 -j ACCEPT                 # Dom A vif

here is what the bridge looks like:

# brctl show
bridge name     bridge id               STP enabled     interfaces
eth0            8000.90e6ba36355f       no              peth0
                                                        vif5.0
                                                        vif6.0
                                                        vif7.0  

# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 5, policy: DROP
-d 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -o vif5.0 -j ACCEPT
-s 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -i vif5.0 -j ACCEPT
-o vif5.0 -j DROP
-o vif6.0 -j ACCEPT
-i vif6.0 -j ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

I test the setup by running tcpdump on the DomUs and sending icmprequests (simple ping) to the DomUs from an machine outside the Dom0.


result:
DomU A works as expected and receives all Traffic.
DomU B receives the reply packets from Dom0

DomU C is unable to communicate with other hosts but also receivesreply packets from Dom0

So my Problem is how to stop DomU B & C from receiving reply Packetsnot dedicated for them.


any Ideas or new concepts would be appreciated.

thanks

Michael Stegk








_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- RE: [Xen-users] virtual mirror port on xen
  - From: James Harper

Prev by Date: [Xen-users] trouble with Linux iscsi initiator with Xen compiled from source
Next by Date: RE: [Xen-users] virtual mirror port on xen
Previous by thread: [Xen-users] trouble with Linux iscsi initiator with Xen compiled from source
Next by thread: RE: [Xen-users] virtual mirror port on xen
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.