Hi folks,
I am trying to get antispoofing running on xen3 (based on Debian Sarge).
This is what I have done to enable it:
1. I have compiled a dom0 kernel with CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
2. I made sure this module is loaded: lsmod gives xt_physdev (among
others).
3a. I have changed the line "(network-script network-bridge)" to
"(network-script network-bridge antispoof=yes)" in
/etc/xen/xend-config.sxp.
3b. I have also tried setting the default in network-bridge to yes by
changing the antispoof line to "antispoof:${antispoof:-yes}".
Then I have setup a domU with vif=[''mac=ae:00:00:78:be:04,
ip=192.168.115.156''], but "inside" I have configured the ip
address of
eth0 to be 192.168.115.157.
After starting the domU "ifconfig eth0" shows the ip address
192.168.115.157, but the domU still has network access to the outside.
That means: antispoofing does not work.
I have googled a lot but found nothing I did not try. Does antispoofing
in Xen3 not work with the new CONFIG_NETFILTER_XT_MATCH_PHYSDEV of
kernel 2.6.16? Or is there anything else I have overlooked.
Any hint or help is appreciated.
Dirk
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Dirk H. Schulz wrote:> Hi folks, > > I am trying to get antispoofing running on xen3 (based on Debian Sarge). > This is what I have done to enable it: > > 1. I have compiled a dom0 kernel with CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m > 2. I made sure this module is loaded: lsmod gives xt_physdev (among > others). > 3a. I have changed the line "(network-script network-bridge)" to > "(network-script network-bridge antispoof=yes)" in > /etc/xen/xend-config.sxp. > 3b. I have also tried setting the default in network-bridge to yes by > changing the antispoof line to "antispoof:${antispoof:-yes}". > > Then I have setup a domU with vif=[''mac=ae:00:00:78:be:04, > ip=192.168.115.156''], but "inside" I have configured the ip address of > eth0 to be 192.168.115.157. > After starting the domU "ifconfig eth0" shows the ip address > 192.168.115.157, but the domU still has network access to the outside. > > That means: antispoofing does not work.Hi Dirk, I''ll bet your iptables FORWARD default policy is ACCEPT. All antispoofing does is specifically add a rule allowing that particular source IP. Having a default policy of ACCEPT means that after failing the source IP matching rule it gets accepted by the default policy. Try adding this rule to iptables and see if it changes what you see. "iptables -P FORWARD DROP" Now only specifically allowed source IPs will pass. Hope that helps. Mike Wright> > I have googled a lot but found nothing I did not try. Does antispoofing > in Xen3 not work with the new CONFIG_NETFILTER_XT_MATCH_PHYSDEV of > kernel 2.6.16? Or is there anything else I have overlooked. > > Any hint or help is appreciated. > > Dirk > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Mike, Mike Wright schrieb:> Dirk H. Schulz wrote: > >> Hi folks, >> >> I am trying to get antispoofing running on xen3 (based on Debian >> Sarge). This is what I have done to enable it: >> >> 1. I have compiled a dom0 kernel with >> CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m >> 2. I made sure this module is loaded: lsmod gives xt_physdev (among >> others). >> 3a. I have changed the line "(network-script network-bridge)" to >> "(network-script network-bridge antispoof=yes)" in >> /etc/xen/xend-config.sxp. >> 3b. I have also tried setting the default in network-bridge to yes by >> changing the antispoof line to "antispoof:${antispoof:-yes}". >> >> Then I have setup a domU with vif=[''mac=ae:00:00:78:be:04, >> ip=192.168.115.156''], but "inside" I have configured the ip address >> of eth0 to be 192.168.115.157. >> After starting the domU "ifconfig eth0" shows the ip address >> 192.168.115.157, but the domU still has network access to the outside. >> >> That means: antispoofing does not work. > > > Hi Dirk, > > I''ll bet your iptables FORWARD default policy is ACCEPT. All > antispoofing does is specifically add a rule allowing that particular > source IP. Having a default policy of ACCEPT means that after failing > the source IP matching rule it gets accepted by the default policy. > Try adding this rule to iptables and see if it changes what you see. > > "iptables -P FORWARD DROP" > > Now only specifically allowed source IPs will pass.Thanks for your help. You have had the right idea, but there is still a problem. That is what I did: Changed FORWARD policy to drop as you supposed. Checked with iptables -L FORWARD that policy is DROP. Tried pinging the outside from the misconfigured domU (misconfigured = other IP in /etc/network/interfaces than in domU config file) - no traffic to the outside possible. Good. Changed IP in domU''s /etc/network/interfaces to the one used in the domU config file. Restarted domU. Pinged to an external machine - nothing. Even with correct config no network connection! Checking the FORWARD chain I have - a policy of DROP - an accept rule for all protocols from domUs IP address to anywhere - an accept rule for udp from anywhere to anywhere Both rules appear only after the start of the domU. So the configuration should be okay, but there is no network connection from domU to dom0 or to external machines. I am stuck somehow. Can you help me again, please? I am willing to dig into docs, of course, but I do not see what to look for at the moment. Dirk _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dirk H. Schulz wrote:> Hi Mike, > > Mike Wright schrieb: > >> Dirk H. Schulz wrote: >> >>> Hi folks, >>> >>> I am trying to get antispoofing running on xen3 (based on Debian >>> Sarge). This is what I have done to enable it: >>> >>> 1. I have compiled a dom0 kernel with >>> CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m >>> 2. I made sure this module is loaded: lsmod gives xt_physdev (among >>> others). >>> 3a. I have changed the line "(network-script network-bridge)" to >>> "(network-script network-bridge antispoof=yes)" in >>> /etc/xen/xend-config.sxp. >>> 3b. I have also tried setting the default in network-bridge to yes by >>> changing the antispoof line to "antispoof:${antispoof:-yes}". >>> >>> Then I have setup a domU with vif=[''mac=ae:00:00:78:be:04, >>> ip=192.168.115.156''], but "inside" I have configured the ip address >>> of eth0 to be 192.168.115.157. >>> After starting the domU "ifconfig eth0" shows the ip address >>> 192.168.115.157, but the domU still has network access to the outside. >>> >>> That means: antispoofing does not work. >> >> >> >> Hi Dirk, >> >> I''ll bet your iptables FORWARD default policy is ACCEPT. All >> antispoofing does is specifically add a rule allowing that particular >> source IP. Having a default policy of ACCEPT means that after failing >> the source IP matching rule it gets accepted by the default policy. >> Try adding this rule to iptables and see if it changes what you see. >> >> "iptables -P FORWARD DROP" >> >> Now only specifically allowed source IPs will pass. > > > Thanks for your help. You have had the right idea, but there is still a > problem. That is what I did: > > Changed FORWARD policy to drop as you supposed. Checked with iptables -L > FORWARD that policy is DROP. > Tried pinging the outside from the misconfigured domU (misconfigured = > other IP in /etc/network/interfaces than in domU config file) - no > traffic to the outside possible. Good. > Changed IP in domU''s /etc/network/interfaces to the one used in the domU > config file. Restarted domU. Pinged to an external machine - nothing. > Even with correct config no network connection! > Checking the FORWARD chain I have > - a policy of DROP > - an accept rule for all protocols from domUs IP address to anywhere > - an accept rule for udp from anywhere to anywhereDo you have a dom0 rule allowing ICMP traffic? Also, it is a good idea to turn off iptables in your domUs until after basic networking is functioning well.> > Both rules appear only after the start of the domU. So the configuration > should be okay, but there is no network connection from domU to dom0 or > to external machines. >This is where tcpdump comes in handy. You will have to inspect your network traffic to see what is appearing where. You might start on dom0 with "tcpdump -n port icmp" then ping a domU. Look at the tcpdump output while pinging. You should see icmp traffic leaving your dom0. Now run the same tcpdump command on the domU. Do you see traffic coming in? Do you see a reply going out? That is a good place to start. Adding -v to the tcpdump command will produce more output. :m) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Mike, Mike Wright schrieb:> Dirk H. Schulz wrote: > >> Hi Mike, >> >> Mike Wright schrieb: >> >>> Dirk H. Schulz wrote: >>> >>>> Hi folks, >>>> >>>> I am trying to get antispoofing running on xen3 (based on Debian >>>> Sarge). This is what I have done to enable it: >>>> >>>> 1. I have compiled a dom0 kernel with >>>> CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m >>>> 2. I made sure this module is loaded: lsmod gives xt_physdev (among >>>> others). >>>> 3a. I have changed the line "(network-script network-bridge)" to >>>> "(network-script network-bridge antispoof=yes)" in >>>> /etc/xen/xend-config.sxp. >>>> 3b. I have also tried setting the default in network-bridge to yes >>>> by changing the antispoof line to "antispoof:${antispoof:-yes}". >>>> >>>> Then I have setup a domU with vif=[''mac=ae:00:00:78:be:04, >>>> ip=192.168.115.156''], but "inside" I have configured the ip >>>> address of eth0 to be 192.168.115.157. >>>> After starting the domU "ifconfig eth0" shows the ip address >>>> 192.168.115.157, but the domU still has network access to the outside. >>>> >>>> That means: antispoofing does not work. >>> >>> >>> >>> >>> Hi Dirk, >>> >>> I''ll bet your iptables FORWARD default policy is ACCEPT. All >>> antispoofing does is specifically add a rule allowing that >>> particular source IP. Having a default policy of ACCEPT means that >>> after failing the source IP matching rule it gets accepted by the >>> default policy. Try adding this rule to iptables and see if it >>> changes what you see. >>> >>> "iptables -P FORWARD DROP" >>> >>> Now only specifically allowed source IPs will pass. >> >> >> >> Thanks for your help. You have had the right idea, but there is still >> a problem. That is what I did: >> >> Changed FORWARD policy to drop as you supposed. Checked with iptables >> -L FORWARD that policy is DROP. >> Tried pinging the outside from the misconfigured domU (misconfigured >> = other IP in /etc/network/interfaces than in domU config file) - no >> traffic to the outside possible. Good. >> Changed IP in domU''s /etc/network/interfaces to the one used in the >> domU config file. Restarted domU. Pinged to an external machine - >> nothing. Even with correct config no network connection! >> Checking the FORWARD chain I have >> - a policy of DROP >> - an accept rule for all protocols from domUs IP address to anywhere >> - an accept rule for udp from anywhere to anywhere > > > Do you have a dom0 rule allowing ICMP traffic? > > Also, it is a good idea to turn off iptables in your domUs until after > basic networking is functioning well. > >> >> Both rules appear only after the start of the domU. So the >> configuration should be okay, but there is no network connection from >> domU to dom0 or to external machines. >> > > This is where tcpdump comes in handy. You will have to inspect your > network traffic to see what is appearing where. > > You might start on dom0 with "tcpdump -n port icmp" then ping a domU. > Look at the tcpdump output while pinging. You should see icmp traffic > leaving your dom0. Now run the same tcpdump command on the domU. Do > you see traffic coming in? Do you see a reply going out? That is a > good place to start. Adding -v to the tcpdump command will produce > more output.It was far easier in the end. I had to learn a few things about iptables and xen: 1. Traffic from/to dom0 passes the FORWARD chain additionally to INPUT and OUTPUT chains: if you drop at FORWARD, there is no success in opening up INPUT and OUTPUT. 2. You have to have connection tracking running, if you do not alter the xen network script, since it adds a FORWARD rule only for one direction (inside out). What I wonder about now is: what is the antispoof option for with xen 3? If I do not use antispoof, the xen network script registeres a domU with the FORWARD chain with physdev matching anyway, so there is no need for a toggleable antispoof button (and toggling it did not lead to any different behaviour - at least I found none). Thanks for your help, Mike. Dirk _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dirk H. Schulz wrote:> Hi Mike, >>>>> I am trying to get antispoofing running on xen3 (based on Debian >>>>> Sarge). This is what I have done to enable it: >>>>> >>>>> 1. I have compiled a dom0 kernel with >>>>> CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m >>>>> 2. I made sure this module is loaded: lsmod gives xt_physdev (among >>>>> others). >>>>> 3a. I have changed the line "(network-script network-bridge)" to >>>>> "(network-script network-bridge antispoof=yes)" in >>>>> /etc/xen/xend-config.sxp. >>>>> 3b. I have also tried setting the default in network-bridge to yes >>>>> by changing the antispoof line to "antispoof:${antispoof:-yes}". >>>>> >>>>> Then I have setup a domU with vif=[''mac=ae:00:00:78:be:04, >>>>> ip=192.168.115.156''], but "inside" I have configured the ip >>>>> address of eth0 to be 192.168.115.157. >>>>> After starting the domU "ifconfig eth0" shows the ip address >>>>> 192.168.115.157, but the domU still has network access to the outside. >>>>> >>>>> That means: antispoofing does not work. >>>> >>>> I''ll bet your iptables FORWARD default policy is ACCEPT. All >>>> antispoofing does is specifically add a rule allowing that >>>> particular source IP. Having a default policy of ACCEPT means that >>>> after failing the source IP matching rule it gets accepted by the >>>> default policy. Try adding this rule to iptables and see if it >>>> changes what you see. >>>> >>>> "iptables -P FORWARD DROP" >>>> >>>> Now only specifically allowed source IPs will pass. >>> >>> Changed FORWARD policy to drop as you supposed. Checked with iptables >>> -L FORWARD that policy is DROP. >>> Tried pinging the outside from the misconfigured domU (misconfigured >>> = other IP in /etc/network/interfaces than in domU config file) - no >>> traffic to the outside possible. Good. >>> Changed IP in domU''s /etc/network/interfaces to the one used in the >>> domU config file. Restarted domU. Pinged to an external machine - >>> nothing. Even with correct config no network connection! >>> Checking the FORWARD chain I have >>> - a policy of DROP >>> - an accept rule for all protocols from domUs IP address to anywhere >>> - an accept rule for udp from anywhere to anywhere >> >> Do you have a dom0 rule allowing ICMP traffic? >> >> Also, it is a good idea to turn off iptables in your domUs until after >> basic networking is functioning well. >>> >>> Both rules appear only after the start of the domU. So the >>> configuration should be okay, but there is no network connection from >>> domU to dom0 or to external machines. >>> >> This is where tcpdump comes in handy. You will have to inspect your >> network traffic to see what is appearing where. > > It was far easier in the end. I had to learn a few things about iptables > and xen: > 1. Traffic from/to dom0 passes the FORWARD chain additionally to INPUT > and OUTPUT chains: if you drop at FORWARD, there is no success in > opening up INPUT and OUTPUT. > 2. You have to have connection tracking running, if you do not alter the > xen network script, since it adds a FORWARD rule only for one direction > (inside out). > > What I wonder about now is: what is the antispoof option for with xen 3? > If I do not use antispoof, the xen network script registeres a domU with > the FORWARD chain with physdev matching anyway, so there is no need for > a toggleable antispoof button (and toggling it did not lead to any > different behaviour - at least I found none).Many users isolate their dom0 and do not allow direct network connectivity. I''m guessing that''s why the scripts do not automatically add INPUT rules. As far as the antispoof rule, it adds a src IP to the physdev match. iptables ANDs those two conditions. With antispoof off any IP from that interface would be accepted; however, with antispoof on packets would only be accepted if they come from the interface AND and have the spec''d IP. Congratulations on your success. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dirk H. Schulz wrote:> What I wonder about now is: what is the antispoof option for with xen 3? > If I do not use antispoof, the xen network script registeres a domU with > the FORWARD chain with physdev matching anyway, so there is no need for > a toggleable antispoof button (and toggling it did not lead to any > different behaviour - at least I found none).Many users isolate their dom0 and do not allow direct network connectivity. I''m guessing that''s why the scripts do not automatically add INPUT rules. As far as the antispoof rule, it adds a src IP to the physdev match. iptables ANDs those two conditions. With antispoof off any IP from that interface would be accepted; however, with antispoof on packets would only be accepted if they come from the interface AND and have the spec''d IP. Congratulations on your success. :m) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Mike, Mike Wright schrieb:> As far as the antispoof rule, it adds a src IP to the physdev match. > iptables ANDs those two conditions. With antispoof off any IP from > that interface would be accepted; however, with antispoof on packets > would only be accepted if they come from the interface AND and have > the spec''d IP.That is what I would have expected, too. So I was astonished when I noticed that physdev matching is enabled anyway - whether you use antispoofing or not. Now I have looked a bit deeper into it: the standard vif-common.sh script uses physdev matching when adding an iptables rule for domU. What antispoofing does, is changing the default policy for FORWARD from ACCEPT to DROP (besided other things). But then I have not managed to activate antispoofing with Xen 3.0.2 - now I do not need it any more as I have a growing iptables script for these things. Would have been great if all these things had been available in the Xen wiki. Maybe I put it there when I am finished with what I aim at. Thanks for your patience, Mike. Dirk _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Possibly Parallel Threads
- XEN 4.0.1 bridged network - antispoof Option does not work
- vif-antispoof
- Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh
- [Xen-API] XCP Monthly Call Request
- [Xen-API] XCP Monthly Call Request