javier.prieto.ext@juntadeandalucia.es
2008-Feb-07 23:34 UTC
[Xen-users] Filtering traffic to Xen guest machines
Hello. I''ve just started using Xen. My configuration is plain simple: I''ve got a Centos 5 Host with Xen and a single virtual machine which also uses Centos 5. Both of them have real IPs of the same real network. Now, I have to delegate the server administration to an external company which I don''t trust, so I''d want to filter any connection started by the virtual machine. The idea is that everyone outside can connect that virtual IP, but any try of connection from the Guest OS, which isn''t part of an already established communication, is dropped. As far as I''ve seen, I should do it with EBtables, as the guest IP address is part of a bridge in the host machine. In fact, I''ve tried using simple restrictions, using --ip-source or --ip-destination, and it works. The point is that ebtables doesn''t have an option to check for SYN headers, so I can''t check if a package is trying to establish a new communication or not. I can do it with IPtables, but it doesn''t work as I''m trying to filter traffic within a bridge. Can anybody please give me some advice? Thanks in advance, and sorry for my bad English :) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Javier, On Fri, Feb 08, 2008 at 12:34:40AM +0100, javier.prieto.ext@juntadeandalucia.es wrote:> The point is that ebtables doesn''t have an option to check for SYN headers, so > I can''t check if a package is trying to establish a new communication or not.ebtables works at layer 2 and knows nothing of TCP header details like SYN.> I can do it with IPtables, but it doesn''t work as I''m trying to filter traffic > within a bridge. > > Can anybody please give me some advice? Thanks in advance, and sorry for my > bad English :)iptables will see bridged traffic on the FORWARD table if /proc/sys/net/bridge/bridge-nf-call-iptables is set to 1. You can match which interface on the bridge it comes rom / goes via with --physdev. Or you can use routed networking and use iptables in the more usual fashion. If sticking with a bridged network you''ll also want to take steps to prevent ARP poisoning and MAC spoofing, by either using appropriate ebtables rules or using VLANs, etc. Cheers, Andy _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users