|
|
|
|
|
|
|
|
|
|
xen-users
Re: [Xen-users] Filtering traffic to Xen guest machines
Hi Javier,
On Fri, Feb 08, 2008 at 12:34:40AM +0100, javier.prieto.ext@xxxxxxxxxxxxxxxxxxx
wrote:
> The point is that ebtables doesn't have an option to check for SYN headers, so
> I can't check if a package is trying to establish a new communication or not.
ebtables works at layer 2 and knows nothing of TCP header details
like SYN.
> I can do it with IPtables, but it doesn't work as I'm trying to filter traffic
> within a bridge.
>
> Can anybody please give me some advice? Thanks in advance, and sorry for my
> bad English :)
iptables will see bridged traffic on the FORWARD table if
/proc/sys/net/bridge/bridge-nf-call-iptables is set to 1. You can
match which interface on the bridge it comes rom / goes via with
--physdev.
Or you can use routed networking and use iptables in the more
usual fashion.
If sticking with a bridged network you'll also want to take steps to
prevent ARP poisoning and MAC spoofing, by either using appropriate
ebtables rules or using VLANs, etc.
Cheers,
Andy
signature.asc
Description: Digital signature
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
|
|