WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Network security

from [sadique@xxxxxxxxxxxxxxxxxxx] [Permanent Link][Original]
To: "Andrew W." <andrewinet@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Network security
From: "sadique@xxxxxxxxxxxxxxxxxxx" <sadique@xxxxxxxxxxxxxxxxxxx>
Date: Sun, 16 Apr 2006 03:38:54 +0530
Delivery-date: Sat, 15 Apr 2006 15:04:40 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <f5e6c2320604130731gae451d1xd51339dd39ea92d3@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <f5e6c2320604130731gae451d1xd51339dd39ea92d3@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (X11/20050923) 
Hello,

You should have iptables compiled to the kernel in Dom-0 with physdev
match support.
Set the default policy for FORWARD to DROP
Add a specific rule in Dom-0 for each ip address to forward packets for
that ip addrss only through the interface for that Dom-U. vifname
parameter in Dom-U config file would be good in this circumstance.
Suppose to create a Dom-U named domain1 with vifname domai1  - set the
below rules.

iptables -P FORWARD DROP
iptables -A FORWARD -s <ipaddress for that domain> -m physdev
--physdev-in domain1 -j ACCEPT
iptables -A FORWARD -d <ipaddress for that domain> -m physdev
--physdev-out domain1 -j ACCEPT

If you want to bind mulitiple ips for one dom-u you should add a rule
like this for each ip address,

Thanks
Sadique

Andrew W. wrote:

> Hello all,
>  
> New to the list, so please bear with me.  I'm trying to configure a
> bunch of domU's that will be controlled by various untrusted
> sysadmins.  I want to prevent them from attempting to steal each
> other's IP addresses.  This won't need RFC1918 address space; I have
> globally routable IPs.  My requirements are simply one IP per domU,
> with the ability to route additional blocks (maybe a /29 or /30) to
> individual domU's as necessary.
>  
> I'm not opposed to using iptables or any other such trickery to
> accomplish this.  Comments?
>  
>  
> Regards,
>  
> Andrew Wang
>  
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Xen-users mailing list
>Xen-users@xxxxxxxxxxxxxxxxxxx
>http://lists.xensource.com/xen-users
>


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] Firewalls, Dick Davies
Next by Date:  Re: [Xen-users] xentrace failure..., Diwaker Gupta
Previous by Thread:  [Xen-users] Network security, Andrew W.
Next by Thread:  [Xen-users] No sound with xen 3.0.2 and 2.6.16, Cyril
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy