[Gllug] Xen and iptables problem

Daniel P. Berrange dan at berrange.com
Fri Jan 5 15:11:07 UTC 2007


On Fri, Jan 05, 2007 at 01:38:47PM +0000, Bruce Richardson wrote:
> On Fri, Jan 05, 2007 at 12:10:19PM +0000, - wrote:
> > For those unfamiliar with Xen, it makes networking insanely (and
> > unnecessarily) complicated, which is why it's hitting both the FORWARD
> > and INPUT/OUTPUT chains. See
> > http://wiki.xensource.com/xenwiki/XenNetworking for mroe details.
> 
> It isn't insanely complicated if you tread dom0 purely as an
> administrative domain and do any firewalling from within user domains.
> That not only simplifies things, it makes it more secure.  Yes, Xen uses
> bridges to organise its networking but these are presented
> to domU as simple ethernet interfaces, so if you do your iptables work
> in there then you never need to worry about packets taking strange paths
> through the netfilter tables.  Unless, of course, you explicity decide
> to make life complicated for yourself (e.g. putting in firewalling
> bridges).

It depends how much you trust your DomU domains. You may well want to
restrict what networks a particular DomU can route to - the most
secure place to do this is in the host Dom0's iptables. Actually you
may also want to consider ebtables to filter at the ethernet level
based on the MAC address of the DomU.

BTW, for iptables be aware that

 net.bridge.bridge-nf-call-arptables
 net.bridge.bridge-nf-call-ip6tables
 net.bridge.bridge-nf-call-iptables

sysctl settings will dramatically affect the route packets from your
DomUs take through the iptables stack - depending on your needs you
may want to investigate toggleing some of these settings. There's a
big set of diagrams explaining the routing on the ebtables website.

Regards,
Dan.
-- 
|=-            GPG key: http://www.berrange.com/~dan/gpgkey.txt       -=|
|=-       Perl modules: http://search.cpan.org/~danberr/              -=|
|=-           Projects: http://freshmeat.net/~danielpb/               -=|
|=-   berrange at redhat.com  -  Daniel Berrange  -  dan at berrange.com    -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20070105/a634a9a6/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list