WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] xen (3.0.3_0) + iptables in dom0

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] xen (3.0.3_0) + iptables in dom0
From: Arnaud JAYET <ajayet@xxxxxxx>
Date: Wed, 08 Nov 2006 11:17:31 +0100
Delivery-date: Wed, 08 Nov 2006 02:18:04 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)
Hello,

I have little trouble with using iptables in dom0 with Xen 3.0.

i allow all OUTPUT and FORWARD in default iptables policy, the default policy for INPUT chain is DROP except for ssh in domO from fixed IPs in network 10.131.12.0/24


I've the following iptables script and network configuration (I'm using Debian Sarge) :


#!/bin/sh
# /etc/network/if-pre-up.d/iptables-start
iptables=$(which iptables)

$iptables -F

$iptables -P INPUT DROP
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT


$iptables -A INPUT -i lo -j ACCEPT
$iptables -A INPUT -p icmp -j ACCEPT
$iptables -A INPUT -p igmp -j ACCEPT

$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# SSH
$iptables -A INPUT -p tcp -s 10.131.12.0/24 --dport 22 -j ACCEPT

---------

With this iptables configuration, i can't go out from dom0 (no ping, no ssh, no http for apt-get update/upgrade)

if i set the INPUT chain default policy to ACCEPT, it works of course (e.g. like no iptables ptrotection at all)...

I wonder why the output stream from dom0 is blocked (default policy = ACCEPT) ? Does the output stream initiated by dom0 re-enter into any INPUT chain due to the xen bridge or the renaming of eth0 in peth0 ? it's a little bit cloudy for me...


Does anybody have a sample iptables script for protecting a dom0 machine ?


My network configuration for the dom0 :


eth0      Lien encap:Ethernet  HWaddr 00:30:48:68:20:18
          inet adr:10.131.12.5  Bcast:10.131.255.255  Masque:255.255.0.0
          adr inet6: fe80::230:48ff:fe68:2018/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:657163 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10908 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:58172954 (55.4 MiB)  TX bytes:1811066 (1.7 MiB)

lo        Lien encap:Boucle locale
          inet adr:127.0.0.1  Masque:255.0.0.0
          adr inet6: ::1/128 Scope:Hôte
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)

peth0     Lien encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:664303 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11059 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:1000
          RX bytes:61532959 (58.6 MiB)  TX bytes:1873537 (1.7 MiB)
          Adresse de base:0x2000 Mémoire:da200000-da220000

vif0.0    Lien encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:11009 errors:0 dropped:0 overruns:0 frame:0
          TX packets:662689 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:1825551 (1.7 MiB)  TX bytes:58733912 (56.0 MiB)

xenbr0    Lien encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          adr inet6: fe80::200:ff:fe00:0/64 Scope:Lien
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:646462 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:46504320 (44.3 MiB)  TX bytes:0 (0.0 b)


# route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
localnet        *               255.255.0.0     U     0      0        0 eth0
default         10.131.255.254  0.0.0.0         UG    0      0        0 eth0


Thank you for your help.


--
Arnaud

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>