Hi. How I can assing a given IP address to a given domU and force the user of that domU to use that IP address and not all other? I don''t want the user to change the IP address of his virtual machine in /etc/network/interfaces with one ore more IP addresses which are not assigned to him. In addition I don''t want the user to create more virtual interface (eth0:x) than he is allowed to use (I allow each domU to have only two IP addresses). Could you explain me this, please? Thank you very much! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, I suggest you stop to bridge the DomUs directly to the network. Then, you can use standard Linux mechanisms in routing and filtering. You can even use point-to-point networking as discussed earlier on this list. iptables should also be able to do this on bridge level, but I would not consider this a clean approach. Cheers dla On 8/6/07, shacky <shacky83@gmail.com> wrote:> > Hi. > > How I can assing a given IP address to a given domU and force the user > of that domU to use that IP address and not all other? > I don''t want the user to change the IP address of his virtual machine > in /etc/network/interfaces with one ore more IP addresses which are > not assigned to him. > In addition I don''t want the user to create more virtual interface > (eth0:x) than he is allowed to use (I allow each domU to have only two > IP addresses). > > Could you explain me this, please? > > Thank you very much! > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Mon, Aug 06, 2007 at 02:18:20PM +0200, shacky wrote:> Hi. > > How I can assing a given IP address to a given domU and force the user > of that domU to use that IP address and not all other? > I don''t want the user to change the IP address of his virtual machine > in /etc/network/interfaces with one ore more IP addresses which are > not assigned to him.In the dom0 make sure the kernel has net.bridge.bridge-nf-call-iptables = 1 This ensures that all traffic to/from the guest passes through the iptables rules in Dom0. You can then filter traffic from individual vifN.M interfaces associated with the guest to make sure its only sending data with the valid predefined IP address and MAC address you gave it.> In addition I don''t want the user to create more virtual interface > (eth0:x) than he is allowed to use (I allow each domU to have only two > IP addresses).There''s no need to worry about restrictions on creating eth0:x interfaces if you are already filtering based on the source IP address. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> This ensures that all traffic to/from the guest passes through the iptables > rules in Dom0. You can then filter traffic from individual vifN.M interfaces > associated with the guest to make sure its only sending data with the valid > predefined IP address and MAC address you gave it.Ok, thank you! To setup the iptables rules I have to know the name of the virtual interface connected to the domU I created. The name of the virtual interface is <ID:number> where ID is the ID of the domU and number is the number of the network interface starting from 0. I wish to create a script that install my domU from A to Z: - create the LVM partitions - uncompress my pre-created images in the partitions - configure the main configuration files of the new domU - configure iptables to lock the network usage How I can make this script to know the name of the new virtual interface to setup the iptables tules for the new domU? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, On Mon, Aug 06, 2007 at 01:58:46PM +0100, Daniel P. Berrange wrote:> On Mon, Aug 06, 2007 at 02:18:20PM +0200, shacky wrote: > > How I can assing a given IP address to a given domU and force the user > > of that domU to use that IP address and not all other? > > I don''t want the user to change the IP address of his virtual machine > > in /etc/network/interfaces with one ore more IP addresses which are > > not assigned to him. > > In the dom0 make sure the kernel has > > net.bridge.bridge-nf-call-iptables = 1 > > This ensures that all traffic to/from the guest passes through the iptables > rules in Dom0. You can then filter traffic from individual vifN.M interfaces > associated with the guest to make sure its only sending data with the valid > predefined IP address and MAC address you gave it.You will most likely want to use ebtables to make sure that they do not ARP for others IPs as well (iptables would stop the traffic flowing but the ARP would still cause havoc on your network). Cheers, Andy _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Daniel P. Berrange wrote:> On Mon, Aug 06, 2007 at 02:18:20PM +0200, shacky wrote: > >>Hi. >> >>How I can assing a given IP address to a given domU and force the user >>of that domU to use that IP address and not all other? >>I don''t want the user to change the IP address of his virtual machine >>in /etc/network/interfaces with one ore more IP addresses which are >>not assigned to him. > > > In the dom0 make sure the kernel has > > net.bridge.bridge-nf-call-iptables = 1Hi Dan, Would you tell us where that setting is made? Thanks! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Mon, Aug 06, 2007 at 09:58:13AM -0700, Mike Wright wrote:> Daniel P. Berrange wrote: > >On Mon, Aug 06, 2007 at 02:18:20PM +0200, shacky wrote: > > > >>Hi. > >> > >>How I can assing a given IP address to a given domU and force the user > >>of that domU to use that IP address and not all other? > >>I don''t want the user to change the IP address of his virtual machine > >>in /etc/network/interfaces with one ore more IP addresses which are > >>not assigned to him. > > > > > >In the dom0 make sure the kernel has > > > > net.bridge.bridge-nf-call-iptables = 1 > > Hi Dan, > > Would you tell us where that setting is made?Run sysctl and/or change /etc/sysctl.conf Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=| _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> I suggest you stop to bridge the DomUs directly to the network.Could you tell me how I can stop it?> iptables should also be able to do this on bridge level, but I would not > consider this a clean approach.Have you ever used Shorewall to control the routing of the domUs? Could you help me to understand how to write the iptables rules to make what I wrote at the beginning of this thread? I thank you very much for your help! :-) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
shacky wrote:> Hi. > > How I can assing a given IP address to a given domU and force the user > of that domU to use that IP address and not all other? > I don''t want the user to change the IP address of his virtual machine > in /etc/network/interfaces with one ore more IP addresses which are > not assigned to him. > In addition I don''t want the user to create more virtual interface > (eth0:x) than he is allowed to use (I allow each domU to have only two > IP addresses). >This isn''t really a Xen issue: it''s a "someone has root on a machine in my cluster" issue. You can try to outsmart them by upstream switch programming, firewall setups, local configurations, etc. Or you can save trying to implement that in complex new configurations and monitor the "xm list -l" XML based output for forbidden configurations, and slap down any domain you catch misbehaving this way. At least, that''s how *I''d* do it.... _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Well, first of all, you have to disconnect the vifX.Y from xenbrZ. Then, you configure an IP address on both ethY (in the DomU) and vifX.Y (in the Dom0). You can dig up my mail on the topic "Re: Poin to point connection" on this list. If you enable routing, everything should be fine. Of course you also have to make propagate the route back to the DomUs (via your Dom0''s IP) on the network. I can''t tell you what to do, because I do not know *excactly* what you''re aiming at. If you''re dependent on some sort of provider, i.e. you have rented some server, you''re probably best at following the already mentioned approach of using iptables and ebtables. It has the great benefit that you do not need cooperation (or at least, less cooperation) from your provider. However, in the default setup, every DomU has its own MAC address that becomes visible on the network. You should definitely check that this is OK within your network. Cheers, dla On 8/6/07, shacky <shacky83@gmail.com> wrote:> > > I suggest you stop to bridge the DomUs directly to the network. > > Could you tell me how I can stop it? > > > iptables should also be able to do this on bridge level, but I would not > > consider this a clean approach. > > Have you ever used Shorewall to control the routing of the domUs? > Could you help me to understand how to write the iptables rules to > make what I wrote at the beginning of this thread? > > I thank you very much for your help! :-) >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, please also reply to the list as this also gives other people the chance to respond ;) On 8/7/07, shacky <shacky83@gmail.com> wrote:> > How I can disconnect it?If the DomU is already started, "brctl delif xenbrX vifY.Z" is your friend. Before starting, you can simply set "bridge=" in the DomU config file. Ok, thank you.> I''m sorry, but I didn''t understand how to make the routing... With > some MASQ rules with Shorewall (iptables) on the dom0? And then the > domUs need to configure the dom0 IP address as default gateway?Yes. But you should use the IP of the vifY.Z interface. You could also consider doing the routing in a dedicated DomU which is (in theory) a bit more secure, but also more complicated.> I can''t tell you what to do, because I do not know *excactly* what you''re > > aiming at. > > I have a simple configuration. A dom0 with some domU, which needs to > have the Internet access through the dom0 eth0. Each domU have a vif > named "vif-[domU''s name]", which now is bridged with the dom0. > I have to restrict the IP addresses the domU can use, to avoid the > user to change their IP addresses or add some other virtual interface > (eth0:x).Yes, and that''s the important point: Do you want to do NAT and share one IP or should each DomU have its own IP that is visible to the outside? In the latter case, the easiest solution is a dedicated subnet for the DomUs that is routed via an IP in the DomU. I.e., all traffic targeted to one of the DomUs is not sent directly there but to the Dom0. AFAIK, most providers of cheap servers with root access do not offer this. Cheers dla> If you''re dependent on some sort of provider, i.e. you have rented some > > server, you''re probably best at following the already mentioned approach > of > > using iptables and ebtables. > > Yes, I wish to use iptables. I am using Shorewall as Iptables > configurator, and I wish to continue to use it for the dom0 too... > > Please, could you help me? > I am very confused... :-( > > Bye! > Mattia. >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> If the DomU is already started, "brctl delif xenbrX vifY.Z" is your friend. > Before starting, you can simply set "bridge=" in the DomU config file.Setting "bridge=" will I make no bridge with no interface?> Yes, and that''s the important point: Do you want to do NAT and share one IP > or should each DomU have its own IP that is visible to the outside? > In the latter case, the easiest solution is a dedicated subnet for the DomUs > that is routed via an IP in the DomU. I.e., all traffic targeted to one of > the DomUs is not sent directly there but to the Dom0. > AFAIK, most providers of cheap servers with root access do not offer this.I didn''t think about this. I absolutely need to do routing instead of NAT because all the domUs needs to be visible to the outside with their own IP address and not with the IP address of the dom0. But now the question is: how I can make routing on the dom0 for the domUs? With NAT 1:1 in Shorewall? Thank you very much! _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
e the best thing is one interface to manage dom0 and another interface for the domU each interface on different subnet Rick shacky wrote:>> If the DomU is already started, "brctl delif xenbrX vifY.Z" is your friend. >> Before starting, you can simply set "bridge=" in the DomU config file. >> > > Setting "bridge=" will I make no bridge with no interface? > > >> Yes, and that''s the important point: Do you want to do NAT and share one IP >> or should each DomU have its own IP that is visible to the outside? >> In the latter case, the easiest solution is a dedicated subnet for the DomUs >> that is routed via an IP in the DomU. I.e., all traffic targeted to one of >> the DomUs is not sent directly there but to the Dom0. >> AFAIK, most providers of cheap servers with root access do not offer this. >> > > I didn''t think about this. > I absolutely need to do routing instead of NAT because all the domUs > needs to be visible to the outside with their own IP address and not > with the IP address of the dom0. > But now the question is: how I can make routing on the dom0 for the > domUs? With NAT 1:1 in Shorewall? > > Thank you very much! > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> If the DomU is already started, "brctl delif xenbrX vifY.Z" is your friend. > Before starting, you can simply set "bridge=" in the DomU config file.Setting "bridge=" will I make no bridge with no interface?> Yes, and that''s the important point: Do you want to do NAT and share one IP > or should each DomU have its own IP that is visible to the outside? > In the latter case, the easiest solution is a dedicated subnet for the DomUs > that is routed via an IP in the DomU. I.e., all traffic targeted to one of > the DomUs is not sent directly there but to the Dom0. > AFAIK, most providers of cheap servers with root access do not offer this.I didn''t think about this. I absolutely need to do routing instead of NAT because all the domUs needs to be visible to the outside with their own IP address and not with the IP address of the dom0. But now the question is: how I can make routing _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users