Re: [Xen-users] Xen 3.4.2 networking help
I'm not sure what, if anything, is done by setting an IP in the DomU
config ! I vaguely recall that there is a mechanism for a PV guest to
get this and use it when configuring the network.
Correct. For the most part, it does nothing of much importance
I'm not sure what you mean by this? On my Xen nodes, I have 2 NICs. NIC1
is connected to a public bridge (which has no IP assigned) which all the
DomUs are connected to. I use ebtables and iptables to make sure that no
traffic from NIC1 can get onto the INPUT chain of the Dom0. NIC2 is
connected to a private bridge which my Dom0 has an ip assigned to it. I
also have some private DomUs connected to this bridge.
What you will need to do is configure iptables and/or ebtables (which
I haven't personally used) to limit what traffic is permitted from
each DomU. Ideally you want to restrict traffic both by source IP
address and by source MAC address - have you seen what happens when a
device uses a MAC address that's already in use ?
The biggest issue with iptables and bridging is that you cannot
restrict traffic which is outbound from the machine with the bridge
(ie your Dom0) - you can restrict/control all inbound and forwarded
Unfortunately, to do this will mean running iptables/ebtables scripts
each time you start a guest and it's new VIFs are configured. I'm not
aware of any pre-existing scripts to do this.
I have made scripts to do this on my setup. It's very each. You have to
create a new vif-bridge file for each DomU in /etc/xen/scripts
(vif-bridge-x) and set the DomU config to use the respective file. Then
in each vif-bridge-x file, comment out "handle_iptable" and call another
script (iptables-up-x and iptables-down-x) which runs the correct
iptables commands. You could also put the iptables calls directly in the
vif-bridge-x file, however i keep them separate just to keep things
neat. It also means I can call my iptables-up-x and iptables-down-x
scripts without rebooting the DomU. I have also give each DomU an
incoming chain and outgoing chain, meaning I can add rules easily which
only apply to each DomU. I make heavy use of physdev.
If you use my iptables scripts idea above, you can put rules in there to
restrict inter-DomU communication.
There is a third way, and that is to have a monitoring script that
detects a machine using an address it's not assigned - and to shut it
down. Having your host shut down from under you is likely to get your
attention and teach you not to do it again !
I'm not sure why you need to restrict IP traffic between guests. While
it's unlikely, one guest may have need of contact with another, just
as it will almost certainly have need of contact with other hosts on
the internet. Unless you are running an external firewall to protect
them all (in which case the guest-guest traffic would be unprotected),
there's really no difference from them being separate hosts on the big
bad internet and each should be configured with it's own firewall.
Xen-users mailing list