[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Force traffic out one interface

Hi Jonathan,

I read your mail and those you posted in different previous threads and
I think that you should probably consider *not* using a bridge and using
pure routing instead:
- Do you really need bridge-only features (especially broadcasts from
domU to domU or broadcasts trespassing the dom0)? If I understand your
plans correctly, you want all your domUs to be isolated with their own
IP address and only communicating via a dedicated firewall. This way,
you would not need broadcasts between clients (this is only interesting
if you want to use LAN services between your domUs, because broadcasts
are not sent across the internet anyway).
- AFAIK, routing is more secure and faster than bridging, but somewhat
harder to setup.
- You could do what you posted below with routing. It might work with
bridging, too, but I don't know a good way to do that with a bridge.

With routing, you would need policy routing because of this elementary
problem:

You have (to make things easier to explain, in this example only 2) two
DomUs (let's say, 1.0.0.1 on vif-1.0 and 1.0.0.2 on vif-2.0), the
Domain-0 and a dedicated firewall between the Dom0 and the internet.
If 1.0.0.1 wants to reach any server on the internet (or vice versa), it
will trespass the firewall by default.
But if 1.0.0.1 wants to send (e.g. an e-mail) to 1.0.0.2 or (more
dangerous) wants to attack 1.0.0.2, they would only communicate via the
Domain-0 (without the firewall).

The problem is:

If you route 1.0.0.2 to vif-2.0 under all circumstances, it will bypass
the firewall if 1.0.0.1 sent the package.
If you route everything except 1.0.0.1 via eth0, you wont be able to
reach 1.0.0.2 any way.

The solution is:

You need to do policy routing.
If a package originates from the internet an should be sent to 1.0.0.2,
it must be routed to vif-2.0. But if it originates from 1.0.0.1, it must
be routed to eth0, so that it is sent to the firewall.
The firewall will then process the package and return it to the server,
which now must route the package to vif-2.0.

So it will take two policy routes:
route 1.0.0.2 via vif-2.0, if it is from eth0
route 1.0.0.2 via eth0, if it is not from eth0

I don't think that those routes would work with a bridge, so consider
using routing.

Felix

Am 13.06.2010 17:45, schrieb Jonathan Tripathy:
> Hi Everyone,
>
> Does anyone know any rules that I could use (using iptable, ebtables,
> or otherwise) that could force all traffic coming from a guest to go
> out via a particular interface? I wish to stop "inter-guest"
> communication, without going via my firewall first.
>
> Thanks
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.