[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SPAM] Re: [Xen-users] Re: number of ips

To: "Anand Gupta" <xen.mails@xxxxxxxxx>, "Xen Users" <Xen-users@xxxxxxxxxxxxxxxxxxx>
From: "Eljas Alakulppi" <Buzer@xxxxxxxxx>
Date: Sat, 11 Apr 2009 16:04:08 +0300
Cc:
Delivery-date: Sat, 11 Apr 2009 06:05:11 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>

Like I said before, Xen doesn't add DROP rules by default, only ACCEPT (soyou need to set policy to DROP. Tho, it does seem like seting antispoof=onshould take care of setting policy to DROP on at least Debian. Maybe yourfirewall script starts after Xen takes care of networking? I have neverused Xen on CentOS, so I'm not too sure about it's specific details).

Regarding the fact that there is no IP specifed on the ACCEPT rule, whatdoes your iptables commands in the vif script look like?

Oh, and I assume you want to remove state match from the first rule(otherwise the virtual servers will not allow any new connections) &remove the second rule (allows all traffic orginating from192.168.122.0/24. If there is no other match requirements, it will allowDomUs to spoof addresses from 192.168.122.0/24). The third FORWARD ruleseems like everything gets ACCEPT'ed there. Also, please useiptables-save, iptables -L doesn't include all of the details (like -i and-o).


So, to wrap it up, the iptables-save should look something like:
*filter
...
:FORWARD DROP [0:0]
...

-A FORWARD -d 192.168.122.0/24 -j ACCEPT #Tho, this allows spoofingbetween two DomUs. You could try adding -m physdev --physdev-in eth0 orwhatever your external interface is

...
And once you start, there should be one more rule on FORWARD chain

-A FORWARD -s 192.168.122.5/32 -m physdev --physdev-in vif6.0 -j ACCEPT#or whatever the IP and vif happend to be



-Eljas Alakulppi

On Sat, 11 Apr 2009 14:47:45 +0300, Anand Gupta <xen.mails@xxxxxxxxx>wrote:

I tried to use the antispoof feature thinking it should do the trick.
Modified /etc/xen/xend-config.sxp and modified it as follows:

(network-script 'network-bridge antispoof=yes')

Restarted, xen, and then checked the iptables --list. I don't see theDROP

rules added.

Here is iptables before start of domU

****************************************************************************************************************
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

ACCEPT udp -- anywhere anywhere udpdpt:domainACCEPT tcp -- anywhere anywhere tcpdpt:domainACCEPT udp -- anywhere anywhere udpdpt:bootpsACCEPT tcp -- anywhere anywhere tcpdpt:bootps


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24    state
RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
****************************************************************************************************************

Here it is after domU was started

****************************************************************************************************************
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

ACCEPT udp -- anywhere anywhere udpdpt:domainACCEPT tcp -- anywhere anywhere tcpdpt:domainACCEPT udp -- anywhere anywhere udpdpt:bootpsACCEPT tcp -- anywhere anywhere tcpdpt:bootps


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24    state
RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

ACCEPT all -- anywhere anywhere PHYSDEVmatch

--physdev-in vif6.0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
****************************************************************************************************************

The only difference between both the outputs is

ACCEPT all -- anywhere anywhere PHYSDEVmatch

--physdev-in vif6.0

Any ideas why this is happening ?

P.S. : If i am wrong in thinking that the above will resolve the problemof

users binding ips of their domU and using them, please correct me.




--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [SPAM] Re: [Xen-users] Re: number of ips
  - From: Anand Gupta

References:
- [Xen-users] number of ips
  - From: Anand Gupta
- Re: [Xen-users] Re: number of ips
  - From: Vu Pham
- Re: [Xen-users] Re: number of ips
  - From: Anand Gupta
- Re: [Xen-users] Re: number of ips
  - From: Vu Pham
- Re: [Xen-users] Re: number of ips
  - From: Vu Pham
- Re: [Xen-users] Re: number of ips
  - From: Anand Gupta
- Re: [Xen-users] Re: number of ips
  - From: Eljas Alakulppi
- [SPAM] Re: [Xen-users] Re: number of ips
  - From: Anand Gupta

Prev by Date: Re: [Xen-users] Re: number of ips
Next by Date: [Xen-users] Windows XP HVM on qcow diskfile and snapshots
Previous by thread: [SPAM] Re: [Xen-users] Re: number of ips
Next by thread: Re: [SPAM] Re: [Xen-users] Re: number of ips
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.