[CentOS-virt] firewall best practice on dom-0

Kai Schaetzl maillists at conactive.com
Sun Jul 20 13:31:18 UTC 2008

Tim Verhoeven wrote on Thu, 17 Jul 2008 10:15:49 +0200:

> For restricting traffic at the dom0 level I use ebtables (it's like
> iptables but on a bridge level). It allows you to to basic filtering
> between the real interfaces (from the dom0) and virtual interfaces
> (from the domU's). This off course works because Xen is using bridges
> to link the real interfaces with the virtual ones.

Thanks for the answer :-) I know of ebtables, but not too much. As I 
understand it I don't really need it if I run iptables on both host and 
guests. What I'm wondering about is that xend  adds a forwarding rule each 
time a dom-U is started. Like this:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            PHYSDEV match 
--physdev-in vif1.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV match 
--physdev-in vif2.0
ACCEPT     all  --  anywhere             anywhere            PHYSDEV match 
--physdev-in vif3.0

However, if I flush that chain I do not see any difference, networking for 
the dom-U works like before.
And, on the other hand, if I attempt to flush all chains with the 
exception of this single chain (to keep it like Xen wanted it to be, just 
to be sure) I get an error "too many links" or so. Which means if I want 
to establish my own rules and make sure that all old rules get reset - 
with the exception of the forward chain - I can't. At least I haven't 
found another way to achieve that. Is there?


Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

More information about the CentOS-virt mailing list