Andrew Finkenstadt
2012-May-15 15:43 UTC
Implementing firewall functionality in dom0 host on behalf of domU guests
My actual question (of how to do the same under CentOS 5.8 +
GITCO_Xen_4.1.2) will be a followup to this posting.
Using CentOS 5.7 and the "Virtualization" groupinstall (or CentOS 5.8
and
the "Xen" groupinstall), I have successfully achieved implementing
firewalls at the host dom0 for each guest domU, using iptables and the
default vif-bridge scripts, and a named vif= configuration in the xm .cfg
file.
The named virtual interface VIF=XYZZY is for clarity, and avoiding the need
to decode which vif number is associated with the guest domU.
XYZZY.cfg:
name = "XYZZY"
uuid = "99682a19-2f26-8290-f589-a7897127aaf1"
maxmem = 31744
memory = 31744
vcpus = 16
bootloader = "/usr/bin/pygrub"
on_poweroff = "destroy"
on_reboot = "restart"
on_crash = "restart"
vfb = [ "type=vnc,vncunused=1,keymap=en-us" ]
disk = [ "phy:/dev/mapper/plugh_VG01-XYZZY_ROOT,xvda,w",
"phy:/dev/mapper/
plugh_VG01-XYZZY_DATA,xvdf,w",
"phy:/dev/mapper/plugh_VG01-XYZZY_FLASH,xvdg,w",
"phy:/dev/mapper/plugh_VG01-XYZZY_EXPORTS,xvdh,w"]
vif = [
"vifname=XYZZY,mac=00:16:3e:3f:40:8c,bridge=xenbr0,script=vif-bridge"
]
Firewall script:
#!/bin/sh
# firewall rules for interface ''XYZZY'' on machine
''plugh''
#
# enable packet filtering of the FORWARD chain
echo 1 >/proc/sys/net/bridge/bridge-nf-call-iptables
#
# first, remove the current link to the current ruleset for the interface
iptables -D FORWARD -m physdev --physdev-in peth0 --physdev-out XYZZY -j
XYZZY
#
# flush the current set of rules
iptables -F XYZZY
#
# create new rule set
iptables -N XYZZY
#
# first, allow any traffic that is already established.
iptables -A XYZZY -m state --state RELATED,ESTABLISHED -j RETURN
#
#
# RULES incoming
#
#
iptables -A XYZZY -m tcp -p tcp -s 127.128.129.130/32 --dport 5900 -j RETURN
iptables -A XYZZY -m tcp -p tcp -s 127.128.129.130/32 --dport 22 -j RETURN
iptables -A XYZZY -m tcp -p tcp -s 127.128.129.130/32 --dport 873 -j RETURN
iptables -A XYZZY -m udp -p udp -s 127.128.129.130/32 --dport 873 -j RETURN
iptables -A XYZZY -m udp -p udp -s 127.128.129.130/32 --dport 161 -j RETURN
iptables -A XYZZY -m tcp -p tcp -s 127.128.129.130/32 --dport 5666 -j RETURN
... elided for brevity ...
#
#
# all other packets, drop
iptables -A XYZZY -j DROP
#
# activate the rules
iptables -I FORWARD -m physdev --physdev-in peth0 --physdev-out XYZZY -j
XYZZY
#
plugh# xm info
host : plugh
release : 2.6.18-274.17.1.el5xen
version : #1 SMP Tue Jan 10 18:06:37 EST 2012
machine : x86_64
nr_cpus : 16
nr_nodes : 1
sockets_per_node : 2
cores_per_socket : 4
threads_per_core : 2
cpu_mhz : 2400
hw_caps :
bfebfbff:2c100800:00000000:00000940:029ee3ff:00000000:00000001
total_memory : 32755
free_memory : 0
node_to_cpu : node0:0-15
xen_major : 3
xen_minor : 1
xen_extra : .2-274.17.1.el5
xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32
hvm-3.0-x86_32p hvm-3.0-x86_64
xen_pagesize : 4096
platform_params : virt_start=0xffff800000000000
xen_changeset : unavailable
cc_compiler : gcc version 4.1.2 20080704 (Red Hat 4.1.2-51)
cc_compile_by : mockbuild
cc_compile_domain : centos.org
cc_compile_date : Tue Jan 10 17:17:20 EST 2012
xend_config_format : 2
plugh# rpm -q -a | egrep "xen|libvirt|iptables|kernel"
kernel-2.6.18-274.el5
libvirt-0.8.2-22.el5
xen-libs-3.0.3-132.el5_7.2
iptables-ipv6-1.3.5-5.3.el5_4.1
libvirt-python-0.8.2-22.el5
kernel-xen-2.6.18-274.17.1.el5
libvirt-0.8.2-22.el5
kernel-headers-2.6.18-274.18.1.el5
iptables-1.3.5-5.3.el5_4.1
kernel-2.6.18-274.17.1.el5
xen-libs-3.0.3-132.el5_7.2
xen-3.0.3-132.el5_7.2
plugh# brctl show
bridge name bridge id STP enabled interfaces
xenbr0 8000.feffffffffff no XYZZY
vif0.0
peth0
plugh# xm list
Name ID Mem(MiB) VCPUs State Time(s)
XYZZY 1 31744 16 r----- 1211120.0
Domain-0 0 369 16 r----- 241894.7
plugh# ifconfig
XYZZY Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:2305072735 errors:0 dropped:0 overruns:0 frame:0
TX packets:1951016493 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:12515299595253 (11.3 TiB) TX bytes:317211039272 (295.4
GiB)
eth0 Link encap:Ethernet HWaddr 78:2B:CB:6D:59:9A
inet addr:127.128.129.130 Bcast:127.128.129.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2781233 errors:0 dropped:0 overruns:0 frame:0
TX packets:2965482 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:277225631 (264.3 MiB) TX bytes:664291498 (633.5 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:91216 errors:0 dropped:0 overruns:0 frame:0
TX packets:91216 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:21207426 (20.2 MiB) TX bytes:21207426 (20.2 MiB)
peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:1953731878 errors:0 dropped:0 overruns:0 frame:0
TX packets:9393179558 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:327141737804 (304.6 GiB) TX bytes:13053452783524 (11.8
TiB)
Interrupt:23 Memory:da000000-da012800
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.128.254 P-t-P:172.16.128.253
Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:2965480 errors:0 dropped:0 overruns:0 frame:0
TX packets:2781233 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:664291294 (633.5 MiB) TX bytes:277225631 (264.3 MiB)
xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:78311 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3597130 (3.4 MiB) TX bytes:0 (0.0 b)
_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users
Andrew Finkenstadt
2012-May-15 16:31 UTC
Re: Implementing firewall functionality in dom0 host on behalf of domU guests
On Tue, May 15, 2012 at 10:43 AM, Andrew Finkenstadt <andy@finkenstadt.com>wrote:> My actual question (of how to do the same under CentOS 5.8 + > GITCO_Xen_4.1.2) will be a followup to this posting. > >A few issues have arisen, attempting to duplicate this technique under more recent versions of Xen & their corresponding tools. Installation process is: Base CentOS 5.7 install. # cd /etc/yum.repos.d # wget http://www.gitco.de/repo/GITCO-XEN4.1.2_x86_64.repo # yum update # yum groupinstall Xen # vi /etc/grub.conf --> default = 0 # rm /etc/libvirt/qemu/network/autostart/default.xml # chkconfig --list NetworkManager # chkconfig --list network # cd /etc/sysconfig/network-scripts # cp ifcfg-eth0 ifcfg-xenbr0 # vi ifcfg-eth0 --> DEVICE=eth0 --> HWADDR= (preserve setting) --> ONBOOT=yes --> BRIDGE=xenbr0 --> NM_CONTROLLED=no --> remove all other lines # vi ifcfg-xenbr0 --> remove HWADDR line --> preserve all other lines --> DEVICE=xenbr0 --> TYPE=Bridge --> DELAY=0 --> NM_CONTROLLED=no The preceding installation notes install a base operating system, removes the virtual bridge & private (NAT) network default for libvirt, and duplicates the xenbr0 needed for a "physically bridged ethernet" setting used in virt-manager for installation. Using these steps, NetworkManager is not activated, as confirmed by the chkconfig --list commands. Both "xm" and "xl" tool sets appear to be available.> Using CentOS 5.7 and the "Virtualization" groupinstall (or CentOS 5.8 and > the "Xen" groupinstall), I have successfully achieved implementing > firewalls at the host dom0 for each guest domU, using iptables and the > default vif-bridge scripts, and a named vif= configuration in the xm .cfg > file. > >Using virt-manager to create virtual machines, it does not appears to create the /etc/xen/XYZZY.cfg file which allow changing of the vifparameter setting, nor the addition of drives after the fact while using a configuration file. What is the right way to accomplish this? I realize I can work around the named-vif technique using the (new) "xm domid XYZZY" command. I also have used the .CFG file to "clone" a virtual machine, with suitable changes in uuid, mac address, drive block-storage specifications and name. What is the right way to accomplish this? The output from "iptables -L -n -v" is subtly different, related to physdev matching. Under CentOS xen 3.1, Chain FORWARD (policy ACCEPT 1957M packets, 291G bytes) pkts bytes target prot opt in out source destination 1952M 290G XYZZY all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in peth0 --physdev-out XYZZY 2306M 13T ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in XYZZY Under CentOS xen 4.1.2, [root@xm00 ~]# iptables -L -n -v Chain FORWARD (policy ACCEPT 16 packets, 3564 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif1.0 --physdev-is-bridged 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif1.0 --physdev-is-bridged What changes are necessary for the FORWARD chain to run the XYZZY firewall matching rules BEFORE passing on the packets in the ACCEPT rules? Additional information: [root@xm00 ~]# xm list Name ID Mem VCPUs State Time(s) Domain-0 0 768 1 r----- 259.8 W2008BASE 1 2048 1 r----- 1.1 [root@xm00 ~]# brctl show bridge name bridge id STP enabled interfaces xenbr0 8000.00a0cc62a23f no vif1.0 tap1.0 eth0 [root@xm00 ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:A0:CC:62:A2:3F UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:51748 errors:1 dropped:0 overruns:0 frame:0 TX packets:1480 errors:3 dropped:0 overruns:0 carrier:3 collisions:0 txqueuelen:1000 RX bytes:10843019 (10.3 MiB) TX bytes:214447 (209.4 KiB) Interrupt:20 Base address:0xe000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:560 (560.0 b) TX bytes:560 (560.0 b) tap1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:11 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 b) TX bytes:1278 (1.2 KiB) vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) xenbr0 Link encap:Ethernet HWaddr 00:A0:CC:62:A2:3F inet addr:10.110.210.50 Bcast:10.110.210.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:51745 errors:0 dropped:0 overruns:0 frame:0 TX packets:1515 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:10085885 (9.6 MiB) TX bytes:219145 (214.0 KiB) [root@xm00 ~]# xm info host : xm00.h.heroengine.net release : 2.6.18-308.4.1.el5xen version : #1 SMP Tue Apr 17 17:49:15 EDT 2012 machine : x86_64 nr_cpus : 4 nr_nodes : 1 cores_per_socket : 4 threads_per_core : 1 cpu_mhz : 2400 hw_caps : bfebfbff:20100800:00000000:00000940:0000e3bd:00000000:00000001:00000000 virt_caps : hvm total_memory : 3327 free_memory : 2518 free_cpus : 0 xen_major : 4 xen_minor : 1 xen_extra : .2 xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64 xen_scheduler : credit xen_pagesize : 4096 platform_params : virt_start=0xffff800000000000 xen_changeset : unavailable xen_commandline : dom0_mem=786432 dom0_max_vcpus=1 cc_compiler : gcc version 4.1.2 20080704 (Red Hat 4.1.2-50) cc_compile_by : root cc_compile_domain : gitco.tld cc_compile_date : Wed Nov 9 22:31:30 CET 2011 xend_config_format : 4 [root@xm00 ~]# rpm -q -a | egrep "xen|libvirt|iptables|kernel" xen-libs-3.0.3-135.el5_8.2 xen-libs-4.1.2-1.el5 libvirt-client-0.9.4-1 libvirt-0.9.4-1 xen-4.1.2-1.el5 libvirt-0.8.2-25.el5 kernel-2.6.18-274.el5 iptables-1.3.5-9.1.el5 iptables-ipv6-1.3.5-9.1.el5 kernel-2.6.18-308.4.1.el5 libvirt-python-0.9.4-1 kernel-xen-2.6.18-308.4.1.el5> > > plugh# xm info > host : plugh > release : 2.6.18-274.17.1.el5xen > version : #1 SMP Tue Jan 10 18:06:37 EST 2012 > machine : x86_64 > nr_cpus : 16 > nr_nodes : 1 > sockets_per_node : 2 > cores_per_socket : 4 > threads_per_core : 2 > cpu_mhz : 2400 > hw_caps : > bfebfbff:2c100800:00000000:00000940:029ee3ff:00000000:00000001 > total_memory : 32755 > free_memory : 0 > node_to_cpu : node0:0-15 > xen_major : 3 > xen_minor : 1 > xen_extra : .2-274.17.1.el5 > xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 > hvm-3.0-x86_32p hvm-3.0-x86_64 > xen_pagesize : 4096 > platform_params : virt_start=0xffff800000000000 > xen_changeset : unavailable > cc_compiler : gcc version 4.1.2 20080704 (Red Hat 4.1.2-51) > cc_compile_by : mockbuild > cc_compile_domain : centos.org > cc_compile_date : Tue Jan 10 17:17:20 EST 2012 > xend_config_format : 2 > > > plugh# rpm -q -a | egrep "xen|libvirt|iptables|kernel" > kernel-2.6.18-274.el5 > libvirt-0.8.2-22.el5 > xen-libs-3.0.3-132.el5_7.2 > iptables-ipv6-1.3.5-5.3.el5_4.1 > libvirt-python-0.8.2-22.el5 > kernel-xen-2.6.18-274.17.1.el5 > libvirt-0.8.2-22.el5 > kernel-headers-2.6.18-274.18.1.el5 > iptables-1.3.5-5.3.el5_4.1 > kernel-2.6.18-274.17.1.el5 > xen-libs-3.0.3-132.el5_7.2 > xen-3.0.3-132.el5_7.2 > > plugh# brctl show > bridge name bridge id STP enabled interfaces > xenbr0 8000.feffffffffff no XYZZY > vif0.0 > peth0 > > plugh# xm list > Name ID Mem(MiB) VCPUs State Time(s) > XYZZY 1 31744 16 r----- > 1211120.0 > Domain-0 0 369 16 r----- 241894.7 > > plugh# ifconfig > XYZZY Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF > UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 > RX packets:2305072735 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1951016493 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:500 > RX bytes:12515299595253 (11.3 TiB) TX bytes:317211039272 (295.4 > GiB) > > eth0 Link encap:Ethernet HWaddr 78:2B:CB:6D:59:9A > inet addr:127.128.129.130 Bcast:127.128.129.255 > Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:2781233 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2965482 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:277225631 (264.3 MiB) TX bytes:664291498 (633.5 MiB) > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:91216 errors:0 dropped:0 overruns:0 frame:0 > TX packets:91216 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:21207426 (20.2 MiB) TX bytes:21207426 (20.2 MiB) > > peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF > UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 > RX packets:1953731878 errors:0 dropped:0 overruns:0 frame:0 > TX packets:9393179558 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:327141737804 (304.6 GiB) TX bytes:13053452783524 (11.8 > TiB) > Interrupt:23 Memory:da000000-da012800 > > tun0 Link encap:UNSPEC HWaddr > 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 > inet addr:172.16.128.254 P-t-P:172.16.128.253 > Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > vif0.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF > UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 > RX packets:2965480 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2781233 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:664291294 (633.5 MiB) TX bytes:277225631 (264.3 MiB) > > xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF > UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 > RX packets:78311 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:3597130 (3.4 MiB) TX bytes:0 (0.0 b) > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Andrew Finkenstadt
2012-May-15 21:29 UTC
Re: Implementing firewall functionality in dom0 host on behalf of domU guests
On Tue, May 15, 2012 at 11:31 AM, Andrew Finkenstadt <andy@finkenstadt.com>wrote:> On Tue, May 15, 2012 at 10:43 AM, Andrew Finkenstadt <andy@finkenstadt.com > > wrote: > >> My actual question (of how to do the same under CentOS 5.8 + >> GITCO_Xen_4.1.2) will be a followup to this posting. >> >> The output from "iptables -L -n -v" is subtly different, related to > physdev matching. > > > Under CentOS xen 3.1, > > Chain FORWARD (policy ACCEPT 1957M packets, 291G bytes) > pkts bytes target prot opt in out source > destination > 1952M 290G XYZZY all -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-in peth0 --physdev-out XYZZY > 2306M 13T ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-in XYZZY > > > Under CentOS xen 4.1.2, > > [root@xm00 ~]# iptables -L -n -v > Chain FORWARD (policy ACCEPT 16 packets, 3564 bytes) > pkts bytes target prot opt in out source > destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-out vif1.0 > --physdev-is-bridged > 0 0 ACCEPT all -- * * 0.0.0.0/0 > 0.0.0.0/0 PHYSDEV match --physdev-in vif1.0 --physdev-is-bridged > > > What changes are necessary for the FORWARD chain to run the XYZZY firewall > matching rules BEFORE passing on the packets in the ACCEPT rules? > >> >>The correct command is: iptables -I FORWARD -m physdev --physdev-in $IF_IN -j $RULENAME --Andy _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Andrew Finkenstadt
2012-May-24 23:23 UTC
Re: Implementing firewall functionality in dom0 host on behalf of domU guests
On Tue, May 15, 2012 at 4:29 PM, Andrew Finkenstadt <andy@finkenstadt.com>wrote:> On Tue, May 15, 2012 at 11:31 AM, Andrew Finkenstadt <andy@finkenstadt.com > > wrote: > >> On Tue, May 15, 2012 at 10:43 AM, Andrew Finkenstadt < >> andy@finkenstadt.com> wrote: >> >>> My actual question (of how to do the same under CentOS 5.8 + >>> GITCO_Xen_4.1.2) will be a followup to this posting. >>> >>> The output from "iptables -L -n -v" is subtly different, related to >> physdev matching. >> >> >> Under CentOS xen 3.1, >> >> Chain FORWARD (policy ACCEPT 1957M packets, 291G bytes) >> pkts bytes target prot opt in out source >> destination >> 1952M 290G XYZZY all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in peth0 --physdev-out XYZZY >> 2306M 13T ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in XYZZY >> >> >> Under CentOS xen 4.1.2, >> >> [root@xm00 ~]# iptables -L -n -v >> Chain FORWARD (policy ACCEPT 16 packets, 3564 bytes) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-out vif1.0 >> --physdev-is-bridged >> 0 0 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vif1.0 >> --physdev-is-bridged >> >> >> What changes are necessary for the FORWARD chain to run the XYZZY >> firewall matching rules BEFORE passing on the packets in the ACCEPT rules? >> >>> >>> > > The correct command is: > > iptables -I FORWARD -m physdev --physdev-in $IF_IN -j $RULENAME > >And if you run more than one set of firewall rules on a per-VM basis, iptables -I FORWARD -m physdev --physdev-in $IF_IN --dst $VM_IP -j $RULENAME --Andy _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users