|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] Best way to secure dom0 with iptables?
Hi,
Reading up on many
articles in the mailing list and wikki and on the web I still can't figure out
how to secure dom0 without affecting the domU instances.
How can I only allow
(or even disallow altogether) dom0 traffic while not affecting domU
instances?
I tried creating a
new chain just for dom0
-A FORWARD -m
physdev --physdev-in vif0.0 -j NODE
while it appears the
traffic for dom0 goes on to this rule it appears if I setup the chain as what's
listed below. performing a nmap still shows all ports are
open.
# allow icmp
packets
-A NODE -p icmp --icmp-type any -j ACCEPT # allow existing
traffic through
-A NODE -i vif0.0 -m
state --state ESTABLISHED,RELATED -j ACCEPT
# allow DNS traffic
through
-A NODE -p 50 -j
ACCEPT
-A NODE -p 51 -j ACCEPT -A NODE -m
state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# reject all other
ports
-A NODE -j REJECT --reject-with icmp-host-prohibited Anyone have any
ideas how to secure dom0??
Thanks.
-L
--
Larry Ludwig
Empowering Media
1-866-792-0489 x600
Have you visited our customer service
blog?
_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |