Hello,
You should have iptables compiled to the kernel in Dom-0 with physdev
match support.
Set the default policy for FORWARD to DROP
Add a specific rule in Dom-0 for each ip address to forward packets for
that ip addrss only through the interface for that Dom-U. vifname
parameter in Dom-U config file would be good in this circumstance.
Suppose to create a Dom-U named domain1 with vifname domai1 - set the
below rules.
iptables -P FORWARD DROP
iptables -A FORWARD -s <ipaddress for that domain> -m physdev
--physdev-in domain1 -j ACCEPT
iptables -A FORWARD -d <ipaddress for that domain> -m physdev
--physdev-out domain1 -j ACCEPT
If you want to bind mulitiple ips for one dom-u you should add a rule
like this for each ip address,
Thanks
Sadique
Andrew W. wrote:
> Hello all,
>
> New to the list, so please bear with me. I''m trying to configure
a
> bunch of domU''s that will be controlled by various untrusted
> sysadmins. I want to prevent them from attempting to steal each
> other''s IP addresses. This won''t need RFC1918 address
space; I have
> globally routable IPs. My requirements are simply one IP per domU,
> with the ability to route additional blocks (maybe a /29 or /30) to
> individual domU''s as necessary.
>
> I''m not opposed to using iptables or any other such trickery to
> accomplish this. Comments?
>
>
> Regards,
>
> Andrew Wang
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Xen-users mailing list
>Xen-users@lists.xensource.com
>http://lists.xensource.com/xen-users
>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users