WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] antispoof with Xen 3

To: Mike Wright <xktnniuymlla@xxxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] antispoof with Xen 3
From: "Dirk H. Schulz" <dirk.schulz@xxxxxxxxxxxxx>
Date: Fri, 29 Sep 2006 21:14:18 +0200
Delivery-date: Fri, 29 Sep 2006 12:15:03 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <45102128.2050306@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <450FAB1C.7020305@xxxxxxxxxxxxx> <45102128.2050306@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (Macintosh/20050923)
Hi Mike,

Mike Wright schrieb:

Dirk H. Schulz wrote:

Hi folks,

I am trying to get antispoofing running on xen3 (based on Debian Sarge). This is what I have done to enable it:

1. I have compiled a dom0 kernel with CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m 2. I made sure this module is loaded: lsmod gives xt_physdev (among others). 3a. I have changed the line "(network-script network-bridge)" to "(network-script network-bridge antispoof=yes)" in /etc/xen/xend-config.sxp. 3b. I have also tried setting the default in network-bridge to yes by changing the antispoof line to "antispoof:${antispoof:-yes}".

Then I have setup a domU with vif=['mac=ae:00:00:78:be:04, ip=192.168.115.156'], but "inside" I have configured the ip address of eth0 to be 192.168.115.157. After starting the domU "ifconfig eth0" shows the ip address 192.168.115.157, but the domU still has network access to the outside.

That means: antispoofing does not work.


Hi Dirk,

I'll bet your iptables FORWARD default policy is ACCEPT. All antispoofing does is specifically add a rule allowing that particular source IP. Having a default policy of ACCEPT means that after failing the source IP matching rule it gets accepted by the default policy. Try adding this rule to iptables and see if it changes what you see.

  "iptables -P FORWARD DROP"

Now only specifically allowed source IPs will pass.

Thanks for your help. You have had the right idea, but there is still a problem. That is what I did:

Changed FORWARD policy to drop as you supposed. Checked with iptables -L FORWARD that policy is DROP. Tried pinging the outside from the misconfigured domU (misconfigured = other IP in /etc/network/interfaces than in domU config file) - no traffic to the outside possible. Good. Changed IP in domU's /etc/network/interfaces to the one used in the domU config file. Restarted domU. Pinged to an external machine - nothing. Even with correct config no network connection!
Checking the FORWARD chain I have
- a policy of DROP
- an accept rule for all protocols from domUs IP address to anywhere
- an accept rule for udp from anywhere to anywhere

Both rules appear only after the start of the domU. So the configuration should be okay, but there is no network connection from domU to dom0 or to external machines.

I am stuck somehow. Can you help me again, please? I am willing to dig into docs, of course, but I do not see what to look for at the moment.

Dirk

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>