[Gllug] Xen and iptables problem

Bruce Richardson itsbruce at workshy.org
Fri Jan 5 15:50:13 UTC 2007


On Fri, Jan 05, 2007 at 03:11:07PM +0000, Daniel wrote:
> It depends how much you trust your DomU domains. You may well want to
> restrict what networks a particular DomU can route to - the most
> secure place to do this is in the host Dom0's iptables.

If Dom0 has no ip address on the bridges in question (and really, to be
secure, it should not) then routing isn't really the issue.  At that
point, you're using iptables or ebtables to sample and filter packets
quite arbitrarily.

I prefer to do that by inserting invisible firewalling bridges into the
network, and implement those within a domU.  It eats a bit more memory
on the physical host, since each extra domain has the ram and disk
overhead of a separate OS instance, but it makes the separation of
responsibilities much more clearly defined.

So I might have the real ethernet card that is connected to the
Internet-facing router on one bridge in dom0 and have another dom0
bridge to which the web-service domains are attached.  Then I'd create
another domU domain to be an invisible firewall, give it those two
bridges for interfaces and have it bridge between them (this works as
well as if there really were two physical interfaces for it to bridge).
dom0 would have no interfaces configured on either bridge and no direct
route to the internet or the web-services network (nor any ip address or
any other visibility).  A variation on this would be to delegate the
Net-facing physical network card to the bridging domain.  Either way, It
has the added advantage that if I kill the bridging domU, I cut off all
communication between the web servers and the Net.


-- 
Bruce

Remember you're a Womble.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20070105/13686a77/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list