Centos/RHEL/Fedora IPTables Firewalling in dom0/domU + dhclient

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Centos/RHEL/Fedora IPTables Firewalling in dom0/domU + dhclient

Bugzilla from mbest@pendragon.org
All dom0/domUs are Centos 4.2 but the RHEL and Fedora firewalls are
almost identical in base configuration.

dom0 was rebuilt to contain all the firewall modules required for Centos
4.2.  domU has no firewalling capability.

dom0 is on vif0.0 and domU here is on vif3.0

I suspect that if I move to static IP addresses this won't end up being
much of a problem, but it would be nice to add a couple more rules to
make dhcp work.  I want to eventually have at the very least "basic"
Centos firewall available on my dom0 and domU.

I modified vif-common.sh to allow network traffic in the FORWARD chain
with the default RH Firewall:

--- /etc/xen/scripts/vif-common.sh.orig  2005-11-28 21:11:03.000000000 -0700
+++ /etc/xen/scripts/vif-common.sh       2005-11-28 21:09:58.000000000 -0700
@@ -61,11 +61,13 @@
    else
      local c="-D"
    fi
+  -D FORWARD -j RH-Firewall-1-INPUT
    iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT ||
      [ "$c" == "-D" ] ||
      log err \
       "iptables $c FORWARD -m physdev --physdev-in $vif $@ -j ACCEPT
failed.
  If you are using iptables, this may affect networking for guest domains."
+  -A FORWARD -j RH-Firewall-1-INPUT
  }

The firewall rules end up being:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif3.0
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:5353
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:ssh
LOG        all  --  anywhere             anywhere            LOG level
warning
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited


starting the dom0 dhclient results in this firewall log on dom0
----
# dhclient eth0
Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0
PHYSOUT=vif3.0 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10
PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=vif0.0
PHYSOUT=peth0 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00
TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308
Nov 29 21:08:37 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=vif0.0
PHYSOUT=peth0 MAC=ff:ff:ff:ff:ff:ff:00:01:02:be:88:3f:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP
SPT=68 DPT=67 LEN=308

starting the domU dhclient results in this firewall log on dom0
----
# dhclient eth0
Nov 29 21:11:45 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=vif3.0
PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:16:3e:0f:9d:70:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP
SPT=68 DPT=67 LEN=308
Nov 29 21:11:45 xen-dom0 kernel: IN=eth0 OUT= PHYSIN=vif3.0
PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:16:3e:0f:9d:70:08:00 SRC=0.0.0.0
DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP
SPT=68 DPT=67 LEN=308
Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0
PHYSOUT=vif3.0 SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00
PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0
PHYSOUT=vif0.0 SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00
PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556
Nov 29 21:11:47 xen-dom0 kernel: IN=xenbr0 OUT= PHYSIN=peth0
PHYSOUT=vif0.0 MAC=ff:ff:ff:ff:ff:ff:00:13:10:2d:93:b2:08:00
SRC=192.168.2.2 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64
ID=0 PROTO=UDP SPT=67 DPT=68 LEN=556

-Mike

_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xensource.com/xen-users