|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Network security
Hello, You should have iptables compiled to the kernel in Dom-0 with physdev match support. Set the default policy for FORWARD to DROP Add a specific rule in Dom-0 for each ip address to forward packets for that ip addrss only through the interface for that Dom-U. vifname parameter in Dom-U config file would be good in this circumstance. Suppose to create a Dom-U named domain1 with vifname domai1 - set the below rules. iptables -P FORWARD DROP iptables -A FORWARD -s <ipaddress for that domain> -m physdev --physdev-in domain1 -j ACCEPT iptables -A FORWARD -d <ipaddress for that domain> -m physdev --physdev-out domain1 -j ACCEPT If you want to bind mulitiple ips for one dom-u you should add a rule like this for each ip address, Thanks Sadique Andrew W. wrote: > Hello all, > > New to the list, so please bear with me. I'm trying to configure a > bunch of domU's that will be controlled by various untrusted > sysadmins. I want to prevent them from attempting to steal each > other's IP addresses. This won't need RFC1918 address space; I have > globally routable IPs. My requirements are simply one IP per domU, > with the ability to route additional blocks (maybe a /29 or /30) to > individual domU's as necessary. > > I'm not opposed to using iptables or any other such trickery to > accomplish this. Comments? > > > Regards, > > Andrew Wang > > > >------------------------------------------------------------------------ > >_______________________________________________ >Xen-users mailing list >Xen-users@xxxxxxxxxxxxxxxxxxx >http://lists.xensource.com/xen-users > _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |