[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Filtering traffic to Xen guest machines

  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Andy Smith <andy@xxxxxxxxxxxxxx>
  • Date: Mon, 18 Feb 2008 17:46:47 +0000
  • Delivery-date: Mon, 18 Feb 2008 10:02:49 -0800
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
Hi Javier,

On Fri, Feb 08, 2008 at 12:34:40AM +0100, javier.prieto.ext@xxxxxxxxxxxxxxxxxxx 
wrote:
> The point is that ebtables doesn't have an option to check for SYN headers, so
> I can't check if a package is trying to establish a new communication or not.

ebtables works at layer 2 and knows nothing of TCP header details
like SYN.

> I can do it with IPtables, but it doesn't work as I'm trying to filter traffic
> within a bridge.
> 
> Can anybody please give me some advice? Thanks in advance, and sorry for my
> bad English :)

iptables will see bridged traffic on the FORWARD table if
/proc/sys/net/bridge/bridge-nf-call-iptables is set to 1.  You can
match which interface on the bridge it comes rom / goes via with
--physdev.

Or you can use routed networking and use iptables in the more
usual fashion.

If sticking with a bridged network you'll also want to take steps to
prevent ARP poisoning and MAC spoofing, by either using appropriate
ebtables rules or using VLANs, etc.

Cheers,
Andy

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.