Re: [Xen-users] Firewalling Xen?
On Mon, Dec 15, 2008 at 12:21 AM, <lists@xxxxxxxxxxxxx>
I have the following Xen config and I was wondering what you'd recomend as a firewall setup.
Dom0 - 18.104.22.168
Dom1 - 22.214.171.124 (Bridged)
Dom2 - 126.96.36.199 (Bridged)
Dom3 - 188.8.131.52 (Bridged)
Dom4 - 184.108.40.206 (Bridged)
I'm wondering how to setup a firewall for Dom0 when all traffic for the DomUs go 'through' it. How should the firewall take this into account?
On a side note, I read a more secure way was to have the 'primary' Dom to be a DomU firewall to avoid exploits to the Dom0 but I can't find proper documentation for such a setup. Can someone point me in the right direction please?
There are multiple ways of accomplishing your goal but I'll tell you what I do.
Put virtually no software on Dom0 outside of the xen stuff and a firewall/IDS
Dom0 has two interfaces
Create an internal bridge called br0 for all DomUs - with libvirt (CentOS 5.2) edit /etc/libvirt/qemu/networks/autostart/default.xml
eth0 (physical network connection)
To set up dummy0
Add dummy0 to bridge br0xend-config.sxp scripts
This way DomUs can communicate with Dummy0 on Dom0. The only way for traffic to flow from the bridge to the outside world is through Dom0's firewall.
#iptables -t nat -A POSTROUTING -s 10.10.10.0/24
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o dummy0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i dummy0 -o eth0 -j ACCEPT
### Port Forwarding ###
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10010 -j DNAT --to 192.168.1.10:22
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10011 -j DNAT --to 192.168.1.11:22
#iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 10012 -j DNAT --to 192.168.1.12:22
This will get you started. It allows any returning traffic from an internal connection (DomU) to be reconnected to the DomU. It also forwards port 10010 from the outside to the domU with the ip address of 192.168.1.10 port 22 etc.. I might have forgotten a few things but I think this will get you going. You can add to this firewall to allow more traffic through or limit traffic out etc... Standard firewall rules apply here.
I'll be writing a real in-depth tutorial for my site grantmcwilliams.com some day in the future. If anyone has ideas to make this more streamlined I'm all ears.
Some people, when confronted with a problem, think "I know, I'll use Windows."
Now they have two problems.
Xen-users mailing list