WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] ebtables tying mac address to ip address problem

from [David] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] ebtables tying mac address to ip address problem
From: David <admin@xxxxxxxxxxx>
Date: Tue, 31 Mar 2009 19:20:40 +0100
Delivery-date: Tue, 31 Mar 2009 11:21:30 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Reply-to: admin@xxxxxxxxxxx
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi all.

I'm trying to tie mac addresses to IP addresses to stop ip and mac spoofing on my xen host running debian5.0 amd64. I've been trying to follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600

The DomU's network gets blocked both inward and outward.

I've patched my vif-bridge with the intructions on that page any they seem to be applied correctly.

The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with peth0 as the physical interface.

There are the commands I issued at the start

Paris:~# /sbin/ebtables -N eth0
Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP
Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0
Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0
Paris:~# /sbin/ebtables -P INPUT DROP
Paris:~# /sbin/ebtables -P FORWARD DROP
Paris:~# brctl show
bridge name bridge id    STP enabled  interfaces
eth0    8000.001b24efefac no      peth0
Paris:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: FORWARD, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: eth0, entries: 1, policy: ACCEPT
--log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP

#####################################################################

Now i'll start my DomU

Using config file "/xen/dmarkey/intrepid/intrepid".
Started domain intrepid


Now the rules after i start the domain:


Paris:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: FORWARD, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: eth0, entries: 2, policy: ACCEPT
-i vif8.0 -j vif8.0
--log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP

Bridge chain: vif8.0, entries: 3, policy: ACCEPT
-p IPv4 -s 0:16:3e:c:8f:80 --ip-src 10.0.0.254 -j ACCEPT
-p ARP -s 0:16:3e:c:8f:80 --arp-ip-src 10.0.0.254 --arp-mac-src 0:16:3e:c:8f:80 -j ACCEPT
--log-level notice --log-prefix "vif8.0" --log-ip --log-arp -j DROP


#################################################################################

Log:

[19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01 MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC="" ARP IP SRC="" ARP MAC DST=00:16:3e:0c:8f:80  ARP IP DST=10.0.0.254


Anyone any idea what i'm going wrong here? Are those instructions out of date? Sorry im new to ebtables.


Thanks.

David








_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] ebtables tying mac address to ip address problem, David <=
Previous by Date:  Re: AW: [Xen-users] DomU freezes during boot, Thomas Goirand
Next by Date:  Re: [Xen-users] live migration with Xen, Luke S Crawford
Previous by Thread:  [Xen-users] Access control for the xm command, Martti Kuparinen
Next by Thread:  [Xen-users] ebtables tying mac to ip problem, David
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy