[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SPAM] Re: [Xen-users] Re: number of ips


  • To: Xen Users <Xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: Anand Gupta <xen.mails@xxxxxxxxx>
  • Date: Sat, 11 Apr 2009 17:17:45 +0530
  • Cc:
  • Delivery-date: Sat, 11 Apr 2009 04:48:38 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=EnGDav8ZCr4oM9Z6FKdeTBCL22fCWUANO2HlDwA6g4uS08GsPtsT2sDOrk4THoN90G o5UofZLbBG7cG/QUVOdWDEZEcsktHzJMU32d6xk8T4gkw1rwzAW2bqWnWjsJEim74Lbz L9DBJEsImAYr0T1XOuMXP3HjHVL7vJsGtdEnQ=
  • Importance: Low
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

I tried to use the antispoof feature thinking it should do the trick.

Modified /etc/xen/xend-config.sxp and modified it as follows:

(network-script 'network-bridge antispoof=yes')

Restarted, xen, and then checked the iptables --list. I don't see the DROP rules added.

Here is iptables before start of domU

****************************************************************************************************************
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      
****************************************************************************************************************

Here it is after domU was started

****************************************************************************************************************
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 
ACCEPT     all  --  anywhere             anywhere            PHYSDEV match --physdev-in vif6.0 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      
****************************************************************************************************************

The only difference between both the outputs is

>ACCEPT     all  --  anywhere             anywhere            PHYSDEV match --physdev-in vif6.0

Any ideas why this is happening ?

P.S. : If i am wrong in thinking that the above will resolve the problem of users binding ips of their domU and using them, please correct me.

--
regards,

Anand Gupta
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.