[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] ebtables tying mac to ip problem

On Tue, Mar 31, 2009 at 07:39:31PM +0100, David Markey wrote:
Hi,

> I'm trying to tie mac addresses to IP addresses to stop ip and mac
> spoofing on my xen host running debian5.0 amd64. I've been trying to
> follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600
> <http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600>

That's based on quite non-standard Xen network setup:
- dom0 as a router,
  two interfaces eth0 (outside) and xen-br0 (private network) for Xen
  domUs
- domU during startup joins xen-br0
- dom0 do NAT, firewalling and finally forwards domUs traffic by eth0
  connection to Internet

My old email in URL above lacks such information, sorry.

> The DomU's network gets blocked both inward and outward.

I think that there is yet another problem with dom0 connectivity. Bridge
eth0 in your setup is shared by Dom0 interface and DomUs vifs?

> I've patched my vif-bridge with the instructions on that page any they
> seem to be applied correctly.
> 
> The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with
> peth0 as the physical interface.

Thats the difference that matters -- ebtables rules blocks dom0 arp, and
any traffic from peth0.
 
> There are the commands I issued at the start

Please try to extend that initial rules by permitting traffic from
peth0. Untested, but should help.

> Paris:~# /sbin/ebtables -N eth0
> Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0"
> --log-ip --log-arp -j DROP

/sbin/ebtables -A INPUT --logical-in peth0 -j ACCEPT

> Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0

/sbin/ebtables -A FORWARD --logical-in peth0 -j ACCEPT

> Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0
> Paris:~# /sbin/ebtables -P INPUT DROP
> Paris:~# /sbin/ebtables -P FORWARD DROP

> Log:
> 
> [19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01
> MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800,
> OPCODE=2 ARP MAC SRC=00:e0:81:71:9b:01  ARP IP SRC=10.0.0.6 ARP MAC
> DST=00:16:3e:0c:8f:80  ARP IP DST=10.0.0.254

Packet from interface peth0 (IN=peth0), there was no rules for that
interface before.

Kupson
-- 
Great software without the knowledge to run it is pretty useless.
(Linux Gazette #1)

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.