WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] Best way to secure dom0 with iptables?

from [Larry Ludwig] [Permanent Link][Original]
To: <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] Best way to secure dom0 with iptables?
From: "Larry Ludwig" <larrylud@xxxxxxxxx>
Date: Mon, 12 Mar 2007 20:05:36 -0400
Delivery-date: Mon, 12 Mar 2007 17:05:05 -0700
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:x-mimeole; b=Aj4NHjbbp7f9Gil4fmRp0/rqVkGhIxs12PRZB1rw3n2JchIuoFlv5L57KQQASya4AjTaTsNRQeygKp6Yd78D7DZCiD+Ion4CzoMfN4C78BvCxD34DV8Yhzh94Gw13lb8xdPm+hs2rReDzMuvV8fepHwwSPEtitXsHJ9LF3QcqcM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:subject:date:message-id:mime-version:content-type:x-mailer:thread-index:x-mimeole; b=YDdkLMZsXHPXLjN9k6dPRF786xglks+e1kwnkLk6dmJNzXs54TGhzyrNN3qNGSuW3KZrJFzpDOKKjImkMZrLXEDk2u0lzknok99qeqal5+eHA4pDQQiIpo2iToaOQnApNsd0A4640Ow3UvHeP/dWDJfz/68nBLDgE+mu4Zr6WJU=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcdlA1NJyo6T1+t3RiqBTaMr6bdysQ==
Hi,
 
Reading up on many articles in the mailing list and wikki and on the web I still can't figure out how to secure dom0 without affecting the domU instances.
 
How can I only allow (or even disallow altogether) dom0 traffic while not affecting domU instances?
 
I tried creating a new chain just for dom0
 
-A FORWARD -m physdev  --physdev-in vif0.0 -j NODE
 
while it appears the traffic for dom0 goes on to this rule it appears if I setup the chain as what's listed below.  performing a nmap still shows all ports are open.
 
# allow icmp packets
-A NODE -p icmp --icmp-type any -j ACCEPT
# allow existing traffic through
-A NODE -i vif0.0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow DNS traffic through
-A NODE -p 50 -j ACCEPT
-A NODE -p 51 -j ACCEPT
-A NODE -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# reject all other ports
-A NODE -j REJECT --reject-with icmp-host-prohibited
 
Anyone have any ideas how to secure dom0??
 
Thanks.
 
-L
 
--
Larry Ludwig
Empowering Media
1-866-792-0489 x600
Have you visited our customer service blog?
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Best way to secure dom0 with iptables?, Larry Ludwig <=
Previous by Date:  Re: [Xen-users] Is this new server OK with XEN ??, Xin Chen
Next by Date:  [Xen-users] Xen Not Support multi-cpu??, Xin Chen
Previous by Thread:  [Xen-users] Virtualization + CPU w/crypto acceleration instructions, Molle Bestefich
Next by Thread:  [Xen-users] Xen Not Support multi-cpu??, Xin Chen
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy