| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
[Xen-users] xen (3.0.3_0) + iptables in dom0
Hello,
I have little trouble with using iptables in dom0 with Xen 3.0.
i allow all OUTPUT and FORWARD in default iptables policy, the default
policy for INPUT chain is DROP except for ssh in domO from fixed IPs in
network 10.131.12.0/24
I've the following iptables script and network configuration (I'm using
Debian Sarge) :
#!/bin/sh
# /etc/network/if-pre-up.d/iptables-start
iptables=$(which iptables)
$iptables -F
$iptables -P INPUT DROP
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A INPUT -p igmp -j ACCEPT
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# SSH
$iptables -A INPUT -p tcp -s 10.131.12.0/24 --dport 22 -j ACCEPT
---------
With this iptables configuration, i can't go out from dom0 (no ping, no
ssh, no http for apt-get update/upgrade)
if i set the INPUT chain default policy to ACCEPT, it works of course
(e.g. like no iptables ptrotection at all)...
I wonder why the output stream from dom0 is blocked (default policy =
ACCEPT) ? Does the output stream initiated by dom0 re-enter into any
INPUT chain due to the xen bridge or the renaming of eth0 in peth0 ?
it's a little bit cloudy for me...
Does anybody have a sample iptables script for protecting a dom0 machine ?
My network configuration for the dom0 :
eth0 Lien encap:Ethernet HWaddr 00:30:48:68:20:18
inet adr:10.131.12.5 Bcast:10.131.255.255 Masque:255.255.0.0
adr inet6: fe80::230:48ff:fe68:2018/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:657163 errors:0 dropped:0 overruns:0 frame:0
TX packets:10908 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:58172954 (55.4 MiB) TX bytes:1811066 (1.7 MiB)
lo Lien encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
peth0 Lien encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:664303 errors:0 dropped:0 overruns:0 frame:0
TX packets:11059 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:61532959 (58.6 MiB) TX bytes:1873537 (1.7 MiB)
Adresse de base:0x2000 Mémoire:da200000-da220000
vif0.0 Lien encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:11009 errors:0 dropped:0 overruns:0 frame:0
TX packets:662689 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:1825551 (1.7 MiB) TX bytes:58733912 (56.0 MiB)
xenbr0 Lien encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:646462 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:46504320 (44.3 MiB) TX bytes:0 (0.0 b)
# route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use
Iface
localnet * 255.255.0.0 U 0 0 0 eth0
default 10.131.255.254 0.0.0.0 UG 0 0 0 eth0
Thank you for your help.
--
Arnaud
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- [Xen-users] xen (3.0.3_0) + iptables in dom0,
Arnaud JAYET <=
|
|
|
| |
|
Home