WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] IP blocking

from [mail4dla] [Permanent Link][Original]
To: shacky <shacky83@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] IP blocking
From: mail4dla@xxxxxxxxxxxxxx
Date: Wed, 8 Aug 2007 10:03:25 +0200
Delivery-date: Wed, 08 Aug 2007 01:01:03 -0700
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=googlemail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=eO9XsWavPkm5o5IdAO6TFe5vpZxu0B2AAqFQmHYA9CxzBFcWTKZP+cj/UOAc8ObYLbaxvmsRz9HQ0qvYFUigeAcRr1iSAsCDkUjLyGC+OnUXszhZ7H/ZEKT2/+XmizPBdoTzD+TY+LVRmTdfG6Hw++ZuErMPJErkiylAZXFmKT4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=I5K3uf51LaKjZDxVrIm04rhMzNZZPowI5bPh3+/nueWI8Is8zb8N8pDwRqVBZaYkuBbWgHPvQHDJ1kDxbqEXHAXMTtzzeZdLT8wb6bNdvpBi7y535NiIvkf8b6OarrfyK0jmb/XOceB2f8eethBRJWD+keMbWJ0WDWYxlXEzLTc=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <7fedbc910708071028ne830576pf1da9c33b2ab1370@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <7fedbc910708060518s510357cdx7e3be43159616815@xxxxxxxxxxxxxx> <f9264670708060553x6ad7df3ao4a8748c1b01da7fc@xxxxxxxxxxxxxx> <7fedbc910708061234u32199d0ekdbe9f124710eb0d7@xxxxxxxxxxxxxx> <f9264670708070921h6efd682as6edccd835047e9c1@xxxxxxxxxxxxxx> <7fedbc910708071028ne830576pf1da9c33b2ab1370@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi,

please also reply to the list as this also gives other people the chance to respond ;)

On 8/7/07, shacky < shacky83@xxxxxxxxx> wrote:
How I can disconnect it?

If the DomU is already started, "brctl delif xenbrX vifY.Z" is your friend.
Before starting, you can simply set "bridge=" in the DomU config file.
 

Ok, thank you.
I'm sorry, but I didn't understand how to make the routing... With
some MASQ rules with Shorewall (iptables) on the dom0? And then the
domUs need to configure the dom0 IP address as default gateway?

Yes. But you should use the IP of the vifY.Z interface.
You could also consider doing the routing in a dedicated DomU which is (in theory) a bit more secure, but also more complicated. 

> I can't tell you what to do, because I do not know *excactly* what you're
> aiming at.

I have a simple configuration. A dom0 with some domU, which needs to
have the Internet access through the dom0 eth0. Each domU have a vif
named "vif-[domU's name]", which now is bridged with the dom0.
I have to restrict the IP addresses the domU can use, to avoid the
user to change their IP addresses or add some other virtual interface
(eth0:x).


Yes, and that's the important point: Do you want to do NAT and share one IP or should each DomU have its own IP that is visible to the outside?
In the latter case, the easiest solution is a dedicated subnet for the DomUs that is routed via an IP in the DomU. I.e., all traffic targeted to one of the DomUs is not sent directly there but to the Dom0.
AFAIK, most providers of cheap servers with root access do not offer this.
 

Cheers
dla

> If you're dependent on some sort of provider, i.e. you have rented some
> server, you're probably best at following the already mentioned approach of
> using iptables and ebtables.

Yes, I wish to use iptables. I am using Shorewall as Iptables
configurator, and I wish to continue to use it for the dom0 too...

Please, could you help me?
I am very confused... :-(

Bye!
Mattia.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] mem-set, trilok nuwal
Next by Date:  [Xen-users] apache mod_proxy problem, sergio
Previous by Thread:  Re: [Xen-users] IP blocking, mail4dla
Next by Thread:  Re: [Xen-users] IP blocking, shacky
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy