Michael Best
2005-Nov-30 04:21 UTC
[Xen-users] Centos/RHEL/Fedora IPTables Firewalling in dom0/domU + dhclient
All dom0/domUs are Centos 4.2 but the RHEL and Fedora firewalls are almost identical in base configuration. dom0 was rebuilt to contain all the firewall modules required for Centos 4.2. domU has no firewalling capability. dom0 is on vif0.0 and domU here is on vif3.0 I suspect that if I move to static IP addresses this won''t end up being much of a problem, but it would be nice to add a couple more rules to make dhcp work. I want to eventually have at the very least "basic" Centos firewall available on my dom0 and domU. I modified vif-common.sh to allow network traffic in the FORWARD chain with the default RH Firewall: --- /etc/xen/scripts/vif-common.sh.orig 2005-11-28 21:11:03.000000000 -0700 +++ /etc/xen/scripts/vif-common.sh 2005-11-28 21:09:58.000000000 -0700 @@ -61,11 +61,13 @@ else local c="-D" fi + -D FORWARD -j RH-Firewall-1-INPUT iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT || [ "$c" == "-D" ] || log err \ "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT failed. If you are using iptables, this may affect networking for guest domains." + -A FORWARD -j RH-Firewall-1-INPUT } The firewall rules end up being: Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif3.0 RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh LOG all -- anywhere anywhere LOG level warning REJECT all -- anywhere anywhere reject-with icmp-host-prohibited starting the dom0 dhclient results in this firewall log on dom0 ---- # dhclient eth0 Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0 PHYSOUT=vif3.0 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0 PHYSOUT=peth0 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=vif0.0 PHYSOUT=peth0 MAC=ff:ff:ff:ff:ff:ff:00:01:02:be:88:3f:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 starting the domU dhclient results in this firewall log on dom0 ---- # dhclient eth0 Nov 29 21:11:45 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=vif3.0 PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:16:3e:0f:9d:70:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Nov 29 21:11:45 xen-dom0 kernel: IN=eth0 OUT= PHYSIN=vif3.0 PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:16:3e:0f:9d:70:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0 PHYSOUT=vif3.0 SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556 Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0 PHYSOUT=vif0.0 SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556 Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=peth0 PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:13:10:2d:93:b2:08:00 SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556 -Mike _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users