Hi, we are trying to secure our Xen boxes with IPtables on Dom0 but we always seem to get cut off and can only cure it be rebooting the box. Has anyone got a sucessful config they can share that secures the server with one nic? We are using Xen 3.0.4 thanks Ian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Gary W. Smith
2007-Feb-16 15:50 UTC
RE: [Xen-users] Sucessful IPtables config on Dom0 anyone?
Ian,
Here is what we did. We tweaked the vif-common.sh script and set the
automated vif entries to be in a separate table. Then we created our
own iptables ruleset that contained this new table. That way when a xen
instance is created or destroyed it modifies it''s own table and all of
your rules are still in place. As you can see in the grep, I have added
the VIF table. The iptables-save is below that showing how it''s added
allowing you to add your own rules. In my case I also have a custom
bridge script in place as this machine also has the firewall instance on
it (my home office) but this script doesn''t modify iptables. I had to
drop all incoming traffic on eth1 (but forward is okay) otherwise
Comcast cable flips out.
[root@xen09 scripts]# grep iptables vif-common.sh
iptables -t filter "$c" VIF -m physdev --physdev-in "$vif"
"$@" -j
ACCEPT \
"iptables -t filter $c VIF -m physdev --physdev-in $vif $@ -j
ACCEPT failed.
If you are using iptables, this may affect networking for guest
domains."
# Add or remove the appropriate entries in the iptables. With
antispoofing
# Check for a working iptables installation. Checking for the
iptables
# modules installed. If iptables is not working, then there''s no
need
to do
if ! iptables -L -n >&/dev/null
[root@xen09 ~]# iptables-save
# Generated by iptables-save v1.3.1 on Fri Feb 16 07:45:10 2007
*filter
:INPUT ACCEPT [6461319:1044613875]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2857055:11286763964]
:VIF - [0:0]
-A INPUT -m physdev --physdev-in eth1 -j LOG --log-prefix "FW_INPUT:
"
--log-level 6
-A INPUT -m physdev --physdev-in eth1 -j DROP
-A FORWARD -i xenbr0 -o xenbr0 -j ACCEPT
-A FORWARD -i xenbr1 -o xenbr1 -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j VIF
-A FORWARD -j LOG --log-prefix "FW_FOWARD: " --log-level 6
-A VIF -m physdev --physdev-in vif2.0 -j ACCEPT
-A VIF -m physdev --physdev-in vif3.0 -j ACCEPT
-A VIF -m physdev --physdev-in vif4.0 -j ACCEPT
-A VIF -m physdev --physdev-in vif5.0 -j ACCEPT
-A VIF -m physdev --physdev-in vif7.0 -j ACCEPT
-A VIF -m physdev --physdev-in vif10.0 -j ACCEPT
-A VIF -m physdev --physdev-in vif28.0 -j ACCEPT
-A VIF -m physdev --physdev-in vif29.0 -j ACCEPT
-A VIF -m physdev --physdev-in vif29.1 -j ACCEPT
-A VIF -m physdev --physdev-in vif31.0 -j ACCEPT
-A VIF -m physdev --physdev-in vif32.0 -j ACCEPT
COMMIT
From: xen-users-bounces@lists.xensource.com
[mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Ian Tobin
Sent: Friday, February 16, 2007 7:04 AM
To: xen-users@lists.xensource.com
Subject: [Xen-users] Sucessful IPtables config on Dom0 anyone?
Hi,
we are trying to secure our Xen boxes with IPtables on Dom0 but we
always seem to get cut off and
can only cure it be rebooting the box.
Has anyone got a sucessful config they can share that secures the server
with one nic?
We are using Xen 3.0.4
thanks
Ian
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Maybe Matching Threads
- Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh
- blocking traffic on the FORWARD chain using physdev
- Shorewall 4.0.0 Beta 4
- Shorewall 4.0.0 Beta 4
- filter policy drop and allow transparent proxy