[CentOS-virt] firewall best practice on dom-0
Kai Schaetzl
maillists at conactive.com
Sun Jul 20 13:31:18 UTC 2008
Tim Verhoeven wrote on Thu, 17 Jul 2008 10:15:49 +0200:
> For restricting traffic at the dom0 level I use ebtables (it's like
> iptables but on a bridge level). It allows you to to basic filtering
> between the real interfaces (from the dom0) and virtual interfaces
> (from the domU's). This off course works because Xen is using bridges
> to link the real interfaces with the virtual ones.
Thanks for the answer :-) I know of ebtables, but not too much. As I
understand it I don't really need it if I run iptables on both host and
guests. What I'm wondering about is that xend adds a forwarding rule each
time a dom-U is started. Like this:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere PHYSDEV match
--physdev-in vif1.0
ACCEPT all -- anywhere anywhere PHYSDEV match
--physdev-in vif2.0
ACCEPT all -- anywhere anywhere PHYSDEV match
--physdev-in vif3.0
However, if I flush that chain I do not see any difference, networking for
the dom-U works like before.
And, on the other hand, if I attempt to flush all chains with the
exception of this single chain (to keep it like Xen wanted it to be, just
to be sure) I get an error "too many links" or so. Which means if I want
to establish my own rules and make sure that all old rules get reset -
with the exception of the forward chain - I can't. At least I haven't
found another way to achieve that. Is there?
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
More information about the CentOS-virt
mailing list