Re: [Xen-users] Xen 3.4.2 networking help
Jonathan Tripathy wrote:
The biggest issue with iptables and bridging is that you cannot
restrict traffic which is outbound from the machine with the bridge
(ie your Dom0) - you can restrict/control all inbound and forwarded
I'm not sure what you mean by this? On my Xen nodes, I have 2 NICs.
NIC1 is connected to a public bridge (which has no IP assigned)
which all the DomUs are connected to. I use ebtables and iptables to
make sure that no traffic from NIC1 can get onto the INPUT chain of
the Dom0. NIC2 is connected to a private bridge which my Dom0 has an
ip assigned to it. I also have some private DomUs connected to this
When a bridge is involved, there is a problem with physdev match (if
I recall correctly) which means that outbound traffic on the firewall
machine cannot be filtered because of the sequence in which the net
stack does operations. The practical result is that you cannot apply
rules filtering traffic which originates on the firewall and leaves
via a bridge interface. I vaguely recall it's to do with the
matching/filtering happening before the outbound interface is
determined - and that in turn is related to requirements for handling
VPN traffic. You can still filter inbound traffic, and you can still
forward transiting traffic - it's only outbound traffic that
originates on the firewall that is a problem.
That is my understanding from following the Shorewall list for some time.
Unfortunately, to do this will mean running iptables/ebtables
scripts each time you start a guest and it's new VIFs are
configured. I'm not aware of any pre-existing scripts to do this.
I have made scripts to do this on my setup. It's very each. You have
to create a new vif-bridge file for each DomU in /etc/xen/scripts
(vif-bridge-x) and set the DomU config to use the respective file.
Then in each vif-bridge-x file, comment out "handle_iptable" and
call another script (iptables-up-x and iptables-down-x) which runs
the correct iptables commands. You could also put the iptables calls
directly in the vif-bridge-x file, however i keep them separate just
to keep things neat. It also means I can call my iptables-up-x and
iptables-down-x scripts without rebooting the DomU. I have also give
each DomU an incoming chain and outgoing chain, meaning I can add
rules easily which only apply to each DomU. I make heavy use of
I don't have a need for this myself at the moment. It might well be
useful to others if you could upload examples to the Wiki - IIRC this
question has come up several times in various forms.
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
Xen-users mailing list