Hi, just a brief question regarding iptables and Dom0. I am wondering how I can apply IPtables rules purely to the traffic to the Dom0, without blocking that going to the domUs. I have tried using -d <dom0 IP> with drop rules except SSH. However, if this is done on the INPUT chain it blocks off the traffic going to the DomUs too... Just wondering whether I can have any pointers to get this sort of solution: Iptables <block all except ssh to dom0> but allow domU traffic through which I am handling in per-domU chains on FORWARD. Have been slightly confused with this one, any help would be great, cheers, J _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Are you using bridging or PCI passthrough? James Clemence wrote:> Hi, just a brief question regarding iptables and Dom0. I am wondering > how I can apply IPtables rules purely to the traffic to the Dom0, > without blocking that going to the domUs. > > I have tried using -d <dom0 IP> with drop rules except SSH. > > However, if this is done on the INPUT chain it blocks off the traffic > going to the DomUs too... Just wondering whether I can have any > pointers to get this sort of solution: > > Iptables <block all except ssh to dom0> > but allow domU traffic through which I am handling in per-domU chains > on FORWARD. > > Have been slightly confused with this one, any help would be great, > cheers, > > J_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Sorry, a poor explanation, had a very tired day yesterday!
Basically, I''m using a bridging solution standard xen bridging scripts,
1 physical ethernet card, bridge eth0
1 virtual attached to the bridge peth0
2 domUs, also attached to the bridge, vif1.0 and vif2.0
There are three different IP addresses, one for each virtual interface.
I have been able to filter for the domUs via the forward chain taking out
the packets to each domU to a specific chain for that domU, and then handle
the packets with ACCEPT/DROP, as per usual.
-m physdev --physdev-in peth0 --physdev-out vif${DOMUID}.0 -j <DOMU
chain>
However, I blanked on where to get hold of the traffic to the dom0? Does
that go to FORWARD too? Or does it simply hit INPUT?
Cheers for your help,
J
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
On Thu, Apr 30, 2009 at 3:27 PM, James Clemence <jamesvclemence@googlemail.com> wrote:> I have been able to filter for the domUs via the forward chain taking out > the packets to each domU to a specific chain for that domU, and then handle > the packets with ACCEPT/DROP, as per usual. > > -m physdev --physdev-in peth0 --physdev-out vif${DOMUID}.0 -j <DOMU chain> > > However, I blanked on where to get hold of the traffic to the dom0? Does > that go to FORWARD too? Or does it simply hit INPUT?Shouldn''t that be basic iptables stuff? If dom0 is not a router, INPUT should be enough. If it''s a firewall or router, packages going through dom0 will be on FORWARD. As a side note, if you want to prevent iptables managing bridge traffic altogether you might want to use net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0 on /etc/sysctl.conf, and run "sysctl -p" afterwards. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
yes it worked for me ! iptables -t mangle -A PREROUTING -d <ip of dom0> -i <bridge> -p tcp --dport ! ssh -j DROP Bhasker C V Registered linux user #306349 On Thu, 30 Apr 2009, Fajar A. Nugraha wrote:> On Thu, Apr 30, 2009 at 3:27 PM, James Clemence > <jamesvclemence@googlemail.com> wrote: >> I have been able to filter for the domUs via the forward chain taking out >> the packets to each domU to a specific chain for that domU, and then handle >> the packets with ACCEPT/DROP, as per usual. >> >> -m physdev --physdev-in peth0 --physdev-out vif${DOMUID}.0 -j <DOMU chain> >> >> However, I blanked on where to get hold of the traffic to the dom0? Does >> that go to FORWARD too? Or does it simply hit INPUT? > > Shouldn''t that be basic iptables stuff? > If dom0 is not a router, INPUT should be enough. If it''s a firewall or > router, packages going through dom0 will be on FORWARD. > > As a side note, if you want to prevent iptables managing bridge > traffic altogether you might want to use > > net.bridge.bridge-nf-call-arptables=0 > net.bridge.bridge-nf-call-ip6tables=0 > net.bridge.bridge-nf-call-iptables=0 > > on /etc/sysctl.conf, and run "sysctl -p" afterwards. > > Regards, > > Fajar > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users