Hello,
I try to get an Snortbased IDS running on a DomU, the IDS need to be
able to intercept all packets regarding communication between DomUs
and between the Dom0 and the physical network. It is obviously
importend that other DomUs receive only their dedicated packets. This
is pretty much known as a mirror port on "normal" switches.
I know that snort related threads had been discussed on this list
already and i like to contribute my progress so far.
I got a basic idea from here http://support.citrix.com/article/
CTX116204.
The Document describes how to put the "virtual switch" into a Hub by
setting the aging of of the bridge to 0.
#brctl setageing eth0 0
That does the job, after this the domU receives all Packets as I
desired.
Unfortunately all DomUs get those Packets so I tried to solve this
with ebtables.
Scenario:
I run xen 3.2.1 on debian lenny (Linux 2.6.26-2-xen-amd64 )
these are the VMs:
Dom0
DomU A with IDS
DomU B normal VM
DomU C normal VM without network connection
DomU A should be able to intercept communication between B and C
I worked out the following ebtables rules:
ebtables -P FORWARD DROP
ebtables -A FORWARD -d 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -o vif5.0 -
j ACCEPT # DOM B MAC & vif
ebtables -A FORWARD -s 00:16:3e:4a:17:95/ff:ff:ff:ff:ff:00 -i vif5.0 -
j ACCEPT # DOM B MAC & vif
ebtables -A FORWARD -o vif5.0 -j DROP
ebtables -A FORWARD -o vif6.0 -j ACCEPT # Dom A vif
ebtables -A FORWARD -i vif6.0 -j ACCEPT # Dom A vif
here is what the bridge looks like:
# brctl show
bridge name bridge id STP enabled interfaces
eth0 8000.90e6ba36355f no peth0
vif5.0
vif6.0
vif7.0
# ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 5, policy: DROP
-d 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -o vif5.0 -j ACCEPT
-s 0:16:3e:4a:17:0/ff:ff:ff:ff:ff:0 -i vif5.0 -j ACCEPT
-o vif5.0 -j DROP
-o vif6.0 -j ACCEPT
-i vif6.0 -j ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
I test the setup by running tcpdump on the DomUs and sending icmp
requests (simple ping) to the DomUs from an machine outside the Dom0.
result:
DomU A works as expected and receives all Traffic.
DomU B receives the reply packets from Dom0
DomU C is unable to communicate with other hosts but also receives
reply packets from Dom0
So my Problem is how to stop DomU B & C from receiving reply Packets
not dedicated for them.
any Ideas or new concepts would be appreciated.
thanks
Michael Stegk
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users