Matthias Babisch
2013-Jul-19 07:29 UTC
[libvirt-users] How to handle IP-based Networkfilters
Sven Schwedas
2013-Jul-19 07:42 UTC
Re: [libvirt-users] How to handle IP-based Networkfilters
Hello, You might want to read up on this: https://www.redhat.com/archives/libvirt-users/2013-July/msg00087.html On 19.07.2013 09:29, Matthias Babisch wrote:> Hello People. > > We are currently exploring the possibility to use libvirt and kvm/quemu > for production purposes. The general stability seems good enough and the > performance is great. There are some issues we do not understand here > yet. For security reasons we are considering the extensive use of > Networkfilters for virtual machines. But we found some simple scheme for > a test-server not to be working as we expected. It might well be that we > misunderstand something here, so I am hoping someone could point out to > us, where either we or perhaps libvirt failed in this example. > > We are using an ubuntu 13.04 Server running the provided > "1.0.2-0ubuntu11.13.04.2" libvirt-bin using amd64-architecture. > > The type of VM should not be relevant for this problem. Its a > linux-based xmpp-Server which uses ucarp. > I reduced the used filter-file just so i could prove my point. It contains: > <filter name='linux-based-xmpp-server' chain='root'> > <uuid>fb539996-eed5-11e2-8bd3-00e081e0f040</uuid> > <rule action='accept' direction='in' priority='999'> > <tcp state='NEW' dstportstart='5222'/> > </rule> > <rule action='accept' direction='in' priority='999'> > <tcp state='NEW' dstportstart='5269'/> > </rule> > <rule action='accept' direction='inout' priority='999'> > <ip dstipaddr='224.0.0.18' proto='112'/> > </rule> > <rule action='reject' direction='inout' priority='999'> > <all/> > </rule> > </filter> > > Practically it should allow TCP-traffic on Ports 5222,5269 incoming and > incoming and outgoing traffic for ip protocol 112 to destination ip > 224.0.0.18 (VRRP used by ucarp). All other traffic should be rejected. > There is only one VM on the system and the VM has this ruleset attached. > > Note: It is clear to me that this example won't work as areal world > example, because packets of the state ESTABLISHED,RELATED are not > allowed through the firewall. I removed these rules because they where > in a filter-file i referenced. > > After reloading the libvirt-bin i do get part of the rules in would > expect in iptables: > > Chain FI-vnet0 (1 references) > target prot opt source destination > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-port-unreachable > > Chain FO-vnet0 (1 references) > target prot opt source destination > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpt:5222 state NEW > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > dpt:5269 state NEW > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-port-unreachable > > Chain HI-vnet0 (1 references) > target prot opt source destination > REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with > icmp-port-unreachable > > What is missing is any reference to the rule for ucarp (protocol 112). > > Please note though that removing the protocol and just allowing any ip > traffic to 224.0.0.18 as a rule, does not appear in the iptables either. > > Am i misunderstanding anything here? Is there a bug in libvirt? How do > you interpret this? > Do you know of any other way to achieve the simple ruleset intended? > > I am hoping to get more information from this list. If you are replying, > please cc me (matthias.babisch@bmiag.de), because i receive this list as > a digest. > > Sincerely > > Matthias Babisch > IT/Organisation > > *b+m Informatik AG* > Rotenhofer Weg 20 > 24109 Melsdorf > > T +49 4340/404-1444 > F +49 4340/404-111 > M +49 160/8866426 > matthias.babisch@bmiag.de > > Aktuelle Informationen unter www.bmiag.de <%5C%22http://www.bmiag.de%5C%22> > Die b+m Informatik AG ist ein Unternehmen der Allgeier Gruppe > <%5C%22http://www.allgeier-holding.de%5C%22> > > Vorsitzender des Aufsichtsrates: Dr. Marcus Goedsche > Vorstand: Dipl-Ing. Frank Mielke > Amtsgericht Kiel, HRB 5526 > > > > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users >-- Mit freundlichen Grüßen, / Best Regards, Sven SCHWEDAS Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas@tao.at | +43 (0)680 301 7167 http://software.tao.at