xen-users
Re: [Xen-users] Force traffic out one interface
Hi Felix,
Excellent plan! We are getting closer! I should really put all these
wonderful tips from everyone here on a blog or something..
Back to the plan..
The only difficulty I see here is that the DomUs will be using public IP
address, and the firewall (between the Internet and Dom0) will be a
"filtering bridge" in its own right. However maybe that doesn't matter.
Would you maybe be able to give me some example of the actual rules that
I could use? This would be very much appreciated, and if I saw the rules
I could work out if my firewall setup is a problem.
It would be nice if my ISP just gave my firewall's WAN interface a
single address, and allowed multiple public subnets to be routed via my
firewall (so my firewall would act like a router, not a bridge), however
I don't think this is the case. I think all that I will get is just an
ethernet cable connected to a switch..
Thanks
On 13/06/10 17:10, Felix Kuperjans wrote:
Hi Jonathan,
I read your mail and those you posted in different previous threads and
I think that you should probably consider *not* using a bridge and using
pure routing instead:
- Do you really need bridge-only features (especially broadcasts from
domU to domU or broadcasts trespassing the dom0)? If I understand your
plans correctly, you want all your domUs to be isolated with their own
IP address and only communicating via a dedicated firewall. This way,
you would not need broadcasts between clients (this is only interesting
if you want to use LAN services between your domUs, because broadcasts
are not sent across the internet anyway).
- AFAIK, routing is more secure and faster than bridging, but somewhat
harder to setup.
- You could do what you posted below with routing. It might work with
bridging, too, but I don't know a good way to do that with a bridge.
With routing, you would need policy routing because of this elementary
problem:
You have (to make things easier to explain, in this example only 2) two
DomUs (let's say, 1.0.0.1 on vif-1.0 and 1.0.0.2 on vif-2.0), the
Domain-0 and a dedicated firewall between the Dom0 and the internet.
If 1.0.0.1 wants to reach any server on the internet (or vice versa), it
will trespass the firewall by default.
But if 1.0.0.1 wants to send (e.g. an e-mail) to 1.0.0.2 or (more
dangerous) wants to attack 1.0.0.2, they would only communicate via the
Domain-0 (without the firewall).
The problem is:
If you route 1.0.0.2 to vif-2.0 under all circumstances, it will bypass
the firewall if 1.0.0.1 sent the package.
If you route everything except 1.0.0.1 via eth0, you wont be able to
reach 1.0.0.2 any way.
The solution is:
You need to do policy routing.
If a package originates from the internet an should be sent to 1.0.0.2,
it must be routed to vif-2.0. But if it originates from 1.0.0.1, it must
be routed to eth0, so that it is sent to the firewall.
The firewall will then process the package and return it to the server,
which now must route the package to vif-2.0.
So it will take two policy routes:
route 1.0.0.2 via vif-2.0, if it is from eth0
route 1.0.0.2 via eth0, if it is not from eth0
I don't think that those routes would work with a bridge, so consider
using routing.
Felix
Am 13.06.2010 17:45, schrieb Jonathan Tripathy:
Hi Everyone,
Does anyone know any rules that I could use (using iptable, ebtables,
or otherwise) that could force all traffic coming from a guest to go
out via a particular interface? I wish to stop "inter-guest"
communication, without going via my firewall first.
Thanks
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|