|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Re: number of ips
Disclaimer: I have never actually tried this, but I don't see any reasons why it wouldn't work. You might also be interested reading http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html As far as I'm aware, Xen (at least in Debian, check the xend-config.sxp & the network scripts it uses, most likely network-bridge & vif-bridge) adds the approriate iptables entrys to allow traffic to pass from the domains if you are operating purely on Xen config (if your iptables' FORWARD policy is otherwise secure. Tho, generally it isn't). vif-bridge script adds two rules to IPTables when new vif interface is brought up: -A FORWARD -s $IPOFDOMU/32 -m physdev --physdev-in $DOMUVIF -j ACCEPT #like IPOFDOMU=52.35.123.250 and DOMUVIF=vif6.0 -A FORWARD -p udp -m physdev --physdev-in $DOMUVIF -m udp --sport 68 --dport 67 -j ACCEPT #For DHCP traffic. Of course in your case this should be removed (or simply add rule top of the forward chain that blocks port 67 and 68 traffic). Bassicly what you first need to do is create a ruleset to FORWARD chain that permits anything from external interface and let Linux decide what to do with it. You could, of course, also check that they are destined to legitime IP addresses. After that is working, when domain is created, it should add the approriate rules automaticly. The last rule (or policy) should be DROP. Xen doesn't handle adding IPs to the guest OS, so that is manual work on the guest OS (of course, there is many ways to automate that (like installing puppet agent on the guest domains and making Dom0 as puppetmaster)). -Eljas AlakulppiOn Sat, 11 Apr 2009 13:52:57 +0300, Anand Gupta <xen.mails@xxxxxxxxx> wrote: Hi Vu,Ofcourse these users are all root users, each domU root user is maintainingtheir themselves. Can you recommend how to use iptables to achieve this ? The earlier solutions i seem to have seen are all based on ebtables. On Sat, Apr 11, 2009 at 5:33 AM, Vu Pham <vu@xxxxxxxxxx> wrote:Vu Pham wrote:Anand Gupta wrote:Hi Vu, Actually both. I am basically offering vps services. So its critical for my setup that users use only the ips i have assigned to their domU. They shouldn't arbitrarily add ip series and start to use them. Further i have some domU's where i have to add multiple ips for use inside them.Are the users just non-root users ? Or are you going to let them access their domU as root accounts so they have systems with all permissions ? Non-root users cannot assign ip address, I believe.I click Send to fast. If they are root users, you can set up iptables ondom0 to block them according to the IPs you assign to them. If they assignmore, those IPs cannot get out. VuVuOn 4/11/09, Vu Pham <vu@xxxxxxxxxx> wrote:Anand Gupta wrote:Hi Nick,Thanks for the reply. What if they are on different subnet ? And then what stops a user inside domU to add any ip in that series (as long as the ips are assigned and routable to the server) and start to use it ?On 4/11/09, Nick Anderson <nick@xxxxxxxxxxxx> wrote:On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote:Hmm... So if i have to assign lets say 6 ips to a domU, what is thebest method to do so ?Well if they are all on the same subnet and your using standard bridging and using a linux domU you should be able to just bring virtual interfaces. ifconfig eth0:0 192.168.1.2 ifconfig eth0:1 192.168.1.3 ifconfig eth0:1 192.168.1.4 Hi Anand,I just want to understand more about your problem. Do you want to beable to have many IPs on domU or do you worry about users trying to addtoo many IPs that can affect the system ? Thanks, Vu_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |