This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] are these iptables modification secure

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] are these iptables modification secure
From: Olivier Seubert <oli4_seubert@xxxxxxxx>
Date: Sun, 11 Feb 2007 18:52:27 +0100 (CET)
Delivery-date: Mon, 12 Feb 2007 02:42:31 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.de; h=Message-ID:X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ZZ6qNheQMLHzU4lkMiDZkeIpUYcWixac9WIxUuPvVpLZ+u0jZjJbW76JKywhhdDdeE5TUnsSQ61+muSMgrLCD/6GCHC2JlK49H1OU92dej6p+Sik/IXZwIl6b/+zPzqEu9D7VLFXNLIkUJzMcV9entIw2z7UnaTSCjtRhlWJ8Ew= ;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx

I have slightely modified the iptable boot script for XEN
However I'm totally unsure if it's secure.

The "#NEW" Lines are the modifications of LFS' recommended
boot script.

Do they mean, that every single packet which is forwarded through peth0
to eth0 is accepted.
I liked the configuration that only answers to established connections
are let through.

Thanks for your help



# Begin $rc_base/rc.iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
modprobe ipt_physdev

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don¹t send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

#NEW (following 2 lines)
iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out '!' peth0  -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out peth0 --physdev-in '!' peth0  -j ACCEPT

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT
iptables -A INPUT  -i eth0 -j ACCEPT

# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# End $rc_base/rc.iptables

Was Sie schon immer wissen wollten aber nie zu Fragen trauten? Yahoo! Clever hilft Ihnen.
Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] are these iptables modification secure, Olivier Seubert <=