WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xense-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xense-devel] cannot filter on vif* interfaces using iptables?

from [Claudio Fleiner] [Permanent Link][Original]
To: xense-devel@xxxxxxxxxxxxxxxxxxx
Subject: [Xense-devel] cannot filter on vif* interfaces using iptables?
From: Claudio Fleiner <xensource@xxxxxxxxxxx>
Date: Sun, 6 Aug 2006 19:09:11 -0700
Delivery-date: Sun, 06 Aug 2006 19:09:32 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx 
Hi,

I'd like to use an iptables filter that uses the virtual interface
vif for its filtering decision (for example block access to port 80
for a certain domain).

My Xen sessions run on a dual ported host that also works as the NAT
gateway.

        eth0: external IP address
        eth1: internal IP address (10.0.0.1)

        Xen is setup using bridging, and the xen sessions use
        ip addresses in the 10.0.1.* range.

Everything works fine except that it looks like the kernel does not
know the virtual interface a packet comes from anywhere iptables
gets a hold of them (if I log the packets I either see eth1 and eth0,
or one of the interfaces has no name, I never see vif*). I am using
kernel 2.6.16.13-xen0 compiled from the XEN source (latest development
branch as of two weeks ago).

As suggested by Gerd a few weeks ago I set CONFIG_BRIDGE_NETFILTER=y
and CONFIG_NETFILTER_XT_MATCH_PHYSDEV=y but even then the logs just look
like this no matter into which table I insert the LOG option: 

IN=eth1 OUT=eth0 SRC=10.0.1.0 DST=249.115.140.206 LEN=40 TOS=0x00 PREC=0x00 
TTL=63 ID=60085 DF PROTO=TCP SPT=39516 DPT=80 WINDOW=11680 RES=0x00 ACK URGP=0

I use the following iptables parameters (I use FC5):

*nat
:PREROUTING ACCEPT [227:9480]
:POSTROUTING ACCEPT [20:6695]
:OUTPUT ACCEPT [25:7215]
-A POSTROUTING -s 10.0.0.0/16 -d 10.0.0.0/16 -j ACCEPT
-A PREROUTING -s 10.0.0.0/16 -d 10.0.0.0/16 -j ACCEPT
-A POSTROUTING -o eth0 -s 10.0.0.0/8 -j MASQUERADE 
COMMIT
# Completed on Tue Aug  1 17:27:28 2006
# Generated by iptables-save v1.3.5 on Tue Aug  1 17:27:28 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3216:587050]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT 
-A FORWARD -j RH-Firewall-1-INPUT 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT 
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT 
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT 
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT 
-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 123 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1027 -j 
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5920 -j 
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5800:5820 -j 
ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20000:24999 
-j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 1001 -j 
ACCEPT 
-A RH-Firewall-1-INPUT -d 216.224.124.2 -i eth0 -p tcp -m tcp --dport 22000 -j 
ACCEPT
-A RH-Firewall-1-INPUT -s 10.0.0.0/255.255.0.0 -p tcp -m state --state NEW -m 
tcp --dport 111 -j ACCEPT 
-A RH-Firewall-1-INPUT -s 10.0.0.0/255.255.0.0 -p tcp -m state --state NEW -m 
tcp --dport 920 -j ACCEPT 
-A RH-Firewall-1-INPUT -s 10.0.0.0/255.255.0.0 -p udp -j ACCEPT 
-A RH-Firewall-1-INPUT -s 10.0.0.0/255.255.0.0 -p tcp -m state --state NEW -m 
tcp --dport 2049 -j ACCEPT 
-A RH-Firewall-1-INPUT -d 10.0.1.0/255.255.0.0 -p tcp -m state --state NEW -m 
tcp --dport 22 -j ACCEPT 
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Tue Aug  1 17:27:28 2006
# Generated by iptables-save v1.3.5 on Tue Aug  1 17:27:28 2006



Any hints on how to insert a rule that would drop all packets from a certain 
virtual 
interface greatly appreciated! I.e. something like

-A RH-Firewall-1-INPUT -i vif2.0 --dport 80 -j DROP

Thanks, Claudio

----------------------------------------------------------------------------
Claudio Fleiner                                          claudio@xxxxxxxxxxx

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Your urgent response will be highly appreciated., Mrs.Sosnitskaya Ahatulebha.
Next by Date:  Re: [Xense-devel] cannot filter on vif* interfaces using iptables?, Reiner Sailer
Previous by Thread:  Your urgent response will be highly appreciated., Mrs.Sosnitskaya Ahatulebha.
Next by Thread:  Re: [Xense-devel] cannot filter on vif* interfaces using iptables?, Reiner Sailer
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy