Xen users - Jun 2010 - virtual mirror port on xen

Hello,

I try to get an Snortbased IDS running on a DomU, the IDS need to be  
able to intercept all packets regarding communication between DomUs  
and between the Dom0 and the physical network. It is obviously  
importend that other DomUs receive only their dedicated packets. This  
is pretty much known as a mirror port on "normal" switches.

I know that snort related threads had been discussed on this list  
already and i like to contribute my progress so far.

I got a basic idea from here http://support.citrix.com/article/ 
CTX116204.
The Document describes how to put the "virtual switch" into a Hub by  
setting the aging of of the bridge to 0.

#brctl setageing eth0 0

That does the job, after this the domU receives all Packets as I  
desired.
Unfortunately all DomUs get those Packets so I tried to solve this  
with ebtables.

Scenario:

I run xen 3.2.1 on debian lenny (Linux 2.6.26-2-xen-amd64 )

these are the VMs:

Dom0
DomU A with IDS
DomU B normal VM
DomU C normal VM without network connection

DomU A should be able to intercept communication between B and C

I worked out the following ebtables rules:

ebtables -P FORWARD DROP
ebtables -A FORWARD -d 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -o vif5.0 - 
j ACCEPT	 # DOM B MAC & vif
ebtables -A FORWARD -s 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -i vif5.0 - 
j ACCEPT 	# DOM B MAC & vif
ebtables -A FORWARD -o vif5.0 -j DROP

ebtables -A FORWARD -o vif6.0 -j ACCEPT 		# Dom A vif
ebtables -A FORWARD -i vif6.0 -j ACCEPT 		# Dom A vif

here is what the bridge looks like:

# brctl show
bridge name	bridge id		STP enabled	interfaces
eth0		8000.90e6ba36355f	no		peth0
							vif5.0
							vif6.0
							vif7.0	

# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 5, policy: DROP
-d 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -o vif5.0 -j ACCEPT
-s 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -i vif5.0 -j ACCEPT
-o vif5.0 -j DROP
-o vif6.0 -j ACCEPT
-i vif6.0 -j ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

I test the setup by running tcpdump on the DomUs and sending icmp  
requests (simple ping) to the DomUs from an machine outside the Dom0.

result:
DomU A works as expected and receives all Traffic.
DomU B receives the reply packets from Dom0
DomU C is unable to communicate with other hosts but also receives  
reply packets from Dom0


So my Problem is how to stop DomU B & C from receiving reply Packets  
not dedicated for them.

any Ideas or new concepts would be appreciated.

thanks

Michael Stegk








_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

> 
> I try to get an Snortbased IDS running on a DomU, the IDS need to be
> able to intercept all packets regarding communication between DomUs
> and between the Dom0 and the physical network. It is obviously
> importend that other DomUs receive only their dedicated packets. This
> is pretty much known as a mirror port on "normal" switches.
> 
You could try vswitch, I think it has a mirror port option.

I think the sort of things you are trying are going to give you a
headache :)

James


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users