[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] xen (3.0.3_0) + iptables in dom0

On Wednesday 08 November 2006 10:17, Arnaud JAYET wrote:
> Hello,
>
> I have little trouble with using iptables in dom0 with Xen 3.0.
>
> i allow all OUTPUT and FORWARD in default iptables policy, the default
> policy for INPUT chain is DROP except for ssh in domO from fixed IPs in
> network 10.131.12.0/24
>
>
> I've the following iptables script and network configuration (I'm using
> Debian Sarge) :
>
>
> #!/bin/sh
> # /etc/network/if-pre-up.d/iptables-start
> iptables=$(which iptables)
>
> $iptables -F
>
> $iptables -P INPUT DROP
> $iptables -P FORWARD ACCEPT
> $iptables -P OUTPUT ACCEPT
>
>
> $iptables -A INPUT -i lo -j ACCEPT
> $iptables -A INPUT -p icmp -j ACCEPT
> $iptables -A INPUT -p igmp -j ACCEPT
>
> $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # SSH
> $iptables -A INPUT -p tcp -s 10.131.12.0/24 --dport 22 -j ACCEPT
>
> ---------
>
> With this iptables configuration, i can't go out from dom0 (no ping, no
> ssh, no http for apt-get update/upgrade)
>
> if i set the INPUT chain default policy to ACCEPT, it works of course
> (e.g. like no iptables ptrotection at all)...
>
> I wonder why the output stream from dom0 is blocked (default policy =
> ACCEPT) ? Does the output stream initiated by dom0 re-enter into any
> INPUT chain due to the xen bridge or the renaming of eth0 in peth0 ?
> it's a little bit cloudy for me...
>
>
> Does anybody have a sample iptables script for protecting a dom0 machine ?
>
>
> My network configuration for the dom0 :
>
>
> eth0      Lien encap:Ethernet  HWaddr 00:30:48:68:20:18
>            inet adr:10.131.12.5  Bcast:10.131.255.255  Masque:255.255.0.0
>            adr inet6: fe80::230:48ff:fe68:2018/64 Scope:Lien
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:657163 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:10908 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:0
>            RX bytes:58172954 (55.4 MiB)  TX bytes:1811066 (1.7 MiB)
>
> lo        Lien encap:Boucle locale
>            inet adr:127.0.0.1  Masque:255.0.0.0
>            adr inet6: ::1/128 Scope:Hôte
>            UP LOOPBACK RUNNING  MTU:16436  Metric:1
>            RX packets:8 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:0
>            RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)
>
> peth0     Lien encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>            adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
>            UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>            RX packets:664303 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:11059 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:1000
>            RX bytes:61532959 (58.6 MiB)  TX bytes:1873537 (1.7 MiB)
>            Adresse de base:0x2000 Mémoire:da200000-da220000
>
> vif0.0    Lien encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>            adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
>            UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>            RX packets:11009 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:662689 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:0
>            RX bytes:1825551 (1.7 MiB)  TX bytes:58733912 (56.0 MiB)
>
> xenbr0    Lien encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>            adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
>            UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>            RX packets:646462 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 lg file transmission:0
>            RX bytes:46504320 (44.3 MiB)  TX bytes:0 (0.0 b)
>
>
> # route
> Table de routage IP du noyau
> Destination     Passerelle      Genmask         Indic Metric Ref    Use
> Iface
> localnet        *               255.255.0.0     U     0      0        0
> eth0 default         10.131.255.254  0.0.0.0         UG    0      0       
> 0 eth0
>
>
> Thank you for your help.
>
>
> --
> Arnaud
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
Hi,

 I've had the same issue, but i've found that while i couldn't get out of the 
box, i still could login via ssh. It took long, but i did could login. I 
could even ping the machine from the outside.

 I've then applied the rules to vif0.0.
 I don't know if this is the right think to do, but it done to me what i want.


Regards
Hugo





_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.