[Gllug] Logging in iptables and Debian install woes

Richard Jones rich at annexia.org
Fri Apr 28 11:18:33 UTC 2006


On Fri, Apr 28, 2006 at 11:55:38AM +0100, Tet wrote:
> OK, so iptables sucks. But until I get of my arse and finish my
> firewalling project, it's all I've got to work with for now. However,
> can anyone shed some light on how to get information out about what
> it's doing at any given point?
> 
> I've installed Xen. Which has screwed around with my networking in
> various unpleasant ways. I can understand what it does for virtual
> machines. But I can't really see the need to mess around with the way
> dom0 talks to the outside world. But it does. The most obvious symptom
> of this is that packets no longer go via the OUTPUT chain. At least,
> not directly. They go via the FORWARD chain too (or instead of?).

I don't know if this is useful for you.  It doesn't unfortunately
actually trace packets through the chains, but it does annotate rules
you've already added, by adding logging to each existing rule:

https://lists.netfilter.org/pipermail/netfilter/2003-March/043088.html

In general we found Xen 3's network configuration to be completely
opaque.  However now we've set it up, it does work, I'm just afraid to
do anything to it.

Biggest gotcha was a bug in Xen 3.0.1 which caused TCP checksums from
domU's to be miscomputed.  Bug & workaround:

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=495

Attached is our Xen network and firewall configuration, in case it is
helpful to you.  The firewall isn't particularly secure.

> Problem 2:
> 
> Ye gods, Debian sucks when it comes to the installer! I haven't tried
> installing Debian in anger for some years, and was shocked at how
> primitive it feels compared to the slick installers found in other
> distributions. I was trying to install Etch on amd64. Can anyone shed
> any light on how I'm meant to get the thing installed onto LVM over
> RAID1?

We have a hardware RAID-1 card here.  It seems that grub can't boot
from LVM, and it looked like it was going to be a big pain to build a
Xen-enabled kernel with root partition on LVM, so our partition set up
is:

/dev/sda1   /boot   221 MB			# for dom0
/dev/sda2   /       3.7 GB			# for dom0
/dev/sda3   swap    2 GB			# for dom0
/dev/sda4   <LVM>   all the rest of the first pair of disks
/dev/sdb    <LVM>   second pair of physical disks

I set up /dev/sda4 and /dev/sdb with LVM after Debian had been
installed.  That's where all the domU's live.

Rich.

----------------------------------------------------------------------
Xen network configuration:

(network-script network-nat)
(vif-script 'vif-nat dhcp=yes')


----------------------------------------------------------------------
Firewall:

#!/bin/sh -
# Firewall configuration

# Where can people ssh from?
ssh_from="12.3.4.5/255.255.255.0"
postgres_from="12.3.4.5/255.255.255.0"

# List of vm IP addresses (they are all 10.0.1.xx).
vms="2 3 4 5 6 7 8 9 10 11 12"

# Delete any old rules.
# But DON'T delete any forwarding rules or any rules in nat/POSTROUTING
# (they are added by Xen).
iptables --flush INPUT
iptables --flush OUTPUT
iptables -t nat --flush PREROUTING
iptables --delete-chain

# Set policies to accept - we're going to drop only packets on eth0.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Allow incoming connections on eth0 if related to outgoing connections.
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# On eth0, deny any input except from known ports.
for ip in $ssh_from; do
  iptables -A INPUT -i eth0 -p tcp --dport ssh -s $ip -j ACCEPT
  for vm in $vms; do
    port=$((9020+$vm))
    iptables -A INPUT -i eth0 -p tcp --dport $port -s $ip -j ACCEPT
  done
done
for ip in $postgres_from; do
  iptables -A INPUT -i eth0 -p tcp --dport 5432 -s $ip -j ACCEPT
done
iptables -A INPUT -i eth0 -p tcp --dport smtp -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport www -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport domain --dport domain -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -j LOG
iptables -A INPUT -i eth0 -j DROP

# Port forwarding to internal VMs.
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5432 -j DNAT --to 10.0.1.2
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25   -j DNAT --to 10.0.1.4

# Port forwarding to internal ssh ports.
for ip in $ssh_from; do
  for vm in $vms; do
    port=$((9020+$vm))
    iptables -t nat -A PREROUTING -p tcp -i eth0 -s $ip --dport $port -j DNAT --to 10.0.1.$vm:22
  done
done


----------------------------------------------------------------------

-- 
Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Team Notepad - intranets and extranets for business - http://team-notepad.com
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list