[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SPAM] Re: [Xen-users] Re: number of ips

To: Anand Gupta <xen.mails@xxxxxxxxx>
From: Vu Pham <vu@xxxxxxxxxx>
Date: Sat, 11 Apr 2009 14:21:54 -0500
Cc: Eljas Alakulppi <Buzer@xxxxxxxxx>, Xen Users <Xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Sat, 11 Apr 2009 12:22:48 -0700
Importance: Low
List-id: Xen user discussion <xen-users.lists.xensource.com>

Anand Gupta wrote:

Hi Eljas,
My dom0 basically has 2 networks, eth0 - 172.20.x.x and eth1 -192.168.122.x. Now presently the domU is bound on the bridge with eth0,and which where i am concerned right now. The same would be implementedin a scene with all real ips.
I checked the firewall and there is no firewall enabled on dom0. Sorrybut i am still confused on how and what you are proposing here.

The firewall file should be /etc/sysconfig/iptables. To se sure thefirewall is on when you start your system, use "chkconfig iptables on".If your firewall has not been started, you can start it manually by"service iptables start", assuming you have CentOS or RHEL for dom0.

Vu

On Sat, Apr 11, 2009 at 6:34 PM, Eljas Alakulppi <Buzer@xxxxxxxxx<mailto:Buzer@xxxxxxxxx>> wrote:


    Like I said before, Xen doesn't add DROP rules by default, only
    ACCEPT (so you need to set policy to DROP. Tho, it does seem like
    seting antispoof=on should take care of setting policy to DROP on at
    least Debian. Maybe your firewall script starts after Xen takes care
    of networking? I have never used Xen on CentOS, so I'm not too sure
    about it's specific details).

    Regarding the fact that there is no IP specifed on the ACCEPT rule,
    what does your iptables commands in the vif script look like?

    Oh, and I assume you want to remove state match from the first rule
    (otherwise the virtual servers will not allow any new connections) &
    remove the second rule (allows all traffic orginating from
    192.168.122.0/24 <http://192.168.122.0/24>. If there is no other
    match requirements, it will allow DomUs to spoof addresses from
    192.168.122.0/24 <http://192.168.122.0/24>). The third FORWARD rule
    seems like everything gets ACCEPT'ed there. Also, please use
    iptables-save, iptables -L doesn't include all of the details (like
    -i and -o).

    So, to wrap it up, the iptables-save should look something like:
    *filter
    ...
    :FORWARD DROP [0:0]
    ...
    -A FORWARD -d 192.168.122.0/24 <http://192.168.122.0/24> -j ACCEPT
    #Tho, this allows spoofing between two DomUs. You could try adding
    -m physdev --physdev-in eth0 or whatever your external interface is
    ...
    And once you start, there should be one more rule on FORWARD chain
    -A FORWARD -s 192.168.122.5/32 <http://192.168.122.5/32> -m physdev
    --physdev-in vif6.0 -j ACCEPT #or whatever the IP and vif happend to be


    -Eljas Alakulppi


    On Sat, 11 Apr 2009 14:47:45 +0300, Anand Gupta <xen.mails@xxxxxxxxx
    <mailto:xen.mails@xxxxxxxxx>> wrote:

        I tried to use the antispoof feature thinking it should do the
        trick.
        Modified /etc/xen/xend-config.sxp and modified it as follows:

        (network-script 'network-bridge antispoof=yes')

        Restarted, xen, and then checked the iptables --list. I don't
        see the DROP
        rules added.

        Here is iptables before start of domU

        
****************************************************************************************************************
        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination
        ACCEPT     udp  --  anywhere             anywhere            udp
        dpt:domain
        ACCEPT     tcp  --  anywhere             anywhere            tcp
        dpt:domain
        ACCEPT     udp  --  anywhere             anywhere            udp
        dpt:bootps
        ACCEPT     tcp  --  anywhere             anywhere            tcp
        dpt:bootps

        Chain FORWARD (policy ACCEPT)
        target     prot opt source               destination
        ACCEPT     all  --  anywhere             192.168.122.0/24
        <http://192.168.122.0/24>    state
        RELATED,ESTABLISHED

ACCEPT all -- 192.168.122.0/24 <http://192.168.122.0/24>anywhere

        ACCEPT     all  --  anywhere             anywhere

REJECT all -- anywhere anywherereject-with

        icmp-port-unreachable

REJECT all -- anywhere anywherereject-with

        icmp-port-unreachable

        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination
        
****************************************************************************************************************

        Here it is after domU was started

        
****************************************************************************************************************
        Chain INPUT (policy ACCEPT)
        target     prot opt source               destination
        ACCEPT     udp  --  anywhere             anywhere            udp
        dpt:domain
        ACCEPT     tcp  --  anywhere             anywhere            tcp
        dpt:domain
        ACCEPT     udp  --  anywhere             anywhere            udp
        dpt:bootps
        ACCEPT     tcp  --  anywhere             anywhere            tcp
        dpt:bootps

        Chain FORWARD (policy ACCEPT)
        target     prot opt source               destination
        ACCEPT     all  --  anywhere             192.168.122.0/24
        <http://192.168.122.0/24>    state
        RELATED,ESTABLISHED

ACCEPT all -- 192.168.122.0/24 <http://192.168.122.0/24>anywhere

        ACCEPT     all  --  anywhere             anywhere

REJECT all -- anywhere anywherereject-with

        icmp-port-unreachable

REJECT all -- anywhere anywherereject-with

        icmp-port-unreachable

ACCEPT all -- anywhere anywherePHYSDEV match

        --physdev-in vif6.0

        Chain OUTPUT (policy ACCEPT)
        target     prot opt source               destination
        
****************************************************************************************************************

        The only difference between both the outputs is

ACCEPT all -- anywhere anywherePHYSDEV match


        --physdev-in vif6.0

        Any ideas why this is happening ?

        P.S. : If i am wrong in thinking that the above will resolve the
        problem of
        users binding ips of their domU and using them, please correct me.

--Using Opera's revolutionary e-mail client: http://www.opera.com/mail/





--
regards,

Anand Gupta


------------------------------------------------------------------------

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

Follow-Ups:
- Re: [SPAM] Re: [Xen-users] Re: number of ips
  - From: Anand Gupta
- Re: [SPAM] Re: [Xen-users] Re: number of ips
  - From: Peter Booth

References:
- [Xen-users] number of ips
  - From: Anand Gupta
- Re: [Xen-users] Re: number of ips
  - From: Vu Pham
- Re: [Xen-users] Re: number of ips
  - From: Vu Pham
- Re: [Xen-users] Re: number of ips
  - From: Eljas Alakulppi
- [SPAM] Re: [Xen-users] Re: number of ips
  - From: Anand Gupta
- Re: [SPAM] Re: [Xen-users] Re: number of ips
  - From: Eljas Alakulppi
- Re: [SPAM] Re: [Xen-users] Re: number of ips
  - From: Anand Gupta

Prev by Date: Re: [Xen-users] Re: number of ips
Next by Date: Re: [SPAM] Re: [Xen-users] Re: number of ips
Previous by thread: Re: [SPAM] Re: [Xen-users] Re: number of ips
Next by thread: Re: [SPAM] Re: [Xen-users] Re: number of ips
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.