[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Implementing firewall functionality in dom0 host on behalf of domU guests

  • To: xen-users@xxxxxxxxxxxxx
  • From: Andrew Finkenstadt <andy@xxxxxxxxxxxxxxx>
  • Date: Tue, 15 May 2012 10:43:33 -0500
  • Delivery-date: Tue, 15 May 2012 15:44:49 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>
My actual question (of how to do the same under CentOS 5.8 + GITCO_Xen_4.1.2) will be a followup to this posting.


Using CentOS 5.7 and the "Virtualization" groupinstall (or CentOS 5.8 and the "Xen" groupinstall), I have successfully achieved implementing firewalls at the host dom0 for each guest domU, using iptables and the default vif-bridge scripts, and a named vif= configuration in the xm .cfg file.


The named virtual interface VIF=XYZZY is for clarity, and avoiding the need to decode which vif number is associated with the guest domU.


XYZZY.cfg:
name = "XYZZY"
uuid = "99682a19-2f26-8290-f589-a7897127aaf1"
maxmem = 31744
memory = 31744
vcpus = 16
bootloader = "/usr/bin/pygrub"
>
>
>
vfb = [ "type=vnc,vncunused=1,keymap=en-us" ]
disk = [ "phy:/dev/mapper/plugh_VG01-XYZZY_ROOT,xvda,w", "phy:/dev/mapper/plugh_VG01-XYZZY_DATA,xvdf,w", "phy:/dev/mapper/plugh_VG01-XYZZY_FLASH,xvdg,w", "phy:/dev/mapper/plugh_VG01-XYZZY_EXPORTS,xvdh,w"]
vif = [ "vifname=XYZZY,mac=00:16:3e:3f:40:8c,bridge=xenbr0,script=vif-bridge" ]

Firewall script:

#!/bin/sh
# firewall rules for interface 'XYZZY' on machine 'plugh'
#
# enable packet filtering of the FORWARD chain
echo 1 >/proc/sys/net/bridge/bridge-nf-call-iptables
#
# first, remove the current link to the current ruleset for the interface
iptables -D FORWARD -m physdev --physdev-in peth0 --physdev-out XYZZY -j XYZZY
#
# flush the current set of rules
iptables -F XYZZY
#
# create new rule set
iptables -N XYZZY
#
# first, allow any traffic that is already established.
iptables -A XYZZY -m state --state RELATED,ESTABLISHED -j RETURN
#
#
# RULES incoming
#
#
iptables -A XYZZY -m tcp -p tcp -s 127.128.129.130/32 --dport 5900 -j RETURN
iptables -A XYZZY -m tcp -p tcp -s 127.128.129.130/32 --dport 22 -j RETURN
iptables -A XYZZY -m tcp -p tcp -s 127.128.129.130/32 --dport 873 -j RETURN
iptables -A XYZZY -m udp -p udp -s 127.128.129.130/32 --dport 873 -j RETURN
iptables -A XYZZY -m udp -p udp -s 127.128.129.130/32 --dport 161 -j RETURN
iptables -A XYZZY -m tcp -p tcp -s 127.128.129.130/32 --dport 5666 -j RETURN

... elided for brevity ...

#
#
# all other packets, drop
iptables -A XYZZY -j DROP
#
# activate the rules
iptables -I FORWARD -m physdev --physdev-in peth0 --physdev-out XYZZY -j XYZZY
#


plugh# xm info
host                   : plugh
release                : 2.6.18-274.17.1.el5xen
version                : #1 SMP Tue Jan 10 18:06:37 EST 2012
machine                : x86_64
nr_cpus                : 16
nr_nodes               : 1
sockets_per_node       : 2
cores_per_socket       : 4
threads_per_core       : 2
cpu_mhz                : 2400
hw_caps                : bfebfbff:2c100800:00000000:00000940:029ee3ff:00000000:00000001
total_memory           : 32755
free_memory            : 0
node_to_cpu            : node0:0-15
xen_major              : 3
xen_minor              : 1
xen_extra              : .2-274.17.1.el5
xen_caps               : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64
xen_pagesize           : 4096
platform_params        : virt_start=0xffff800000000000
xen_changeset          : unavailable
cc_compiler            : gcc version 4.1.2 20080704 (Red Hat 4.1.2-51)
cc_compile_by          : mockbuild
cc_compile_domain      : centos.org
cc_compile_date        : Tue Jan 10 17:17:20 EST 2012
xend_config_format     : 2


plugh# rpm -q -a | egrep "xen|libvirt|iptables|kernel"
kernel-2.6.18-274.el5
libvirt-0.8.2-22.el5
xen-libs-3.0.3-132.el5_7.2
iptables-ipv6-1.3.5-5.3.el5_4.1
libvirt-python-0.8.2-22.el5
kernel-xen-2.6.18-274.17.1.el5
libvirt-0.8.2-22.el5
kernel-headers-2.6.18-274.18.1.el5
iptables-1.3.5-5.3.el5_4.1
kernel-2.6.18-274.17.1.el5
xen-libs-3.0.3-132.el5_7.2
xen-3.0.3-132.el5_7.2

plugh# brctl show
bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              XYZZY
                                                        vif0.0
                                                        peth0

plugh# xm list
Name                                      ID Mem(MiB) VCPUs State   Time(s)
XYZZY                                      1    31744    16 r----- 1211120.0
Domain-0                                   0      369    16 r----- 241894.7

plugh# ifconfig
XYZZY     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:2305072735 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1951016493 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:12515299595253 (11.3 TiB)  TX bytes:317211039272 (295.4 GiB)

eth0      Link encap:Ethernet  HWaddr 78:2B:CB:6D:59:9A
          inet addr:127.128.129.130  Bcast:127.128.129.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2781233 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2965482 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:277225631 (264.3 MiB)  TX bytes:664291498 (633.5 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:91216 errors:0 dropped:0 overruns:0 frame:0
          TX packets:91216 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:21207426 (20.2 MiB)  TX bytes:21207426 (20.2 MiB)

peth0     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:1953731878 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9393179558 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:327141737804 (304.6 GiB)  TX bytes:13053452783524 (11.8 TiB)
          Interrupt:23 Memory:da000000-da012800

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.128.254  P-t-P:172.16.128.253  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

vif0.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:2965480 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2781233 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:664291294 (633.5 MiB)  TX bytes:277225631 (264.3 MiB)

xenbr0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:78311 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3597130 (3.4 MiB)  TX bytes:0 (0.0 b)


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.