tags:

views:

1305

answers:

1
+2  Q: 

Simple iptables chain question

Hi,

I'm writing a bash script to add simple firewalling for Xen.

Here's the actual firewall configuration : 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ha-cluster
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

I'd like to add a new chain for each of my virtual machines (each of them has a virtual interface called vif1.0, vif2.0, etc). Output interface (bridge) is xenbr0.

Here's what I do (for example to block ping 'in'to domU1, vif1.0) : 

iptables -N domUFirewall
iptables -I FORWARD -j domUFirewall
iptables -I INPUT -j domUFirewall
iptables -A domUFirewall -i vif1.0 -p icmp -j DROP

But .. it doesn't work, i'm still able to ping in/out the domU.

Must be something really 'dumb' but I can't find out what's wrong.

Any clues ?

Thx

+2  A: 

Since you're using XEN with bridged networking, packets are being intercepted at a level before ordinary iptables commands can influence them. Thus, you'll probably need to use the ebtables command to influence packet routing in the way that you want to.

Original answer left below that will work for other configurations, but not for XEN with bridged networking.

I am going to pretend for the sake of example that the IP address of vif1.0 is 192.168.1.100.

I would redo the logic to not check the input device, but to instead check by IP Address. At the input chain, the packet is coming from (say) device eth0, not from vif1.0. Thus, this rule:

iptables -I INPUT -i vif1.0 -j domUFirewall

that I previously proposed will never match any packets. However, if you do the following, it should do what you want:

iptables -I INPUT -d 192.168.1.100 -j domUFirewall

where in this case the chain domUFirewall is set up by:

iptables -N domUFirewall
iptables -F domUFirewall
iptables -A domUFirewall -p icmp -j DROP

If a given chain is for a single device, then you want to make this check before jumping into the chain, on a rule with the "-j chainName" action. Then, in the chain itself, you never have to check for the device or IP Address.

Second, I would always flush (empty) the chain in your script, just in case you're re-running the script. Note that when you rerun the script, you may get complaints on the -N line. That's OK.

There are other ways you could do this, but to give a different example, I would need to know specifically how your VM is set up -- bridged networking? NAT? Etc. But the example I gave here should work in any of these modes.

Here are some useful links for the future:

Eddie  2009-03-17 15:21:53
Hi, thanks for the answer. Unfortunately it's not working.
Disco  2009-03-17 18:13:12
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DMU all -- vif1.0 any anywhere anywhere 2542 1208K RH-Firewall-1-INPUT all -- any any anywhere anywhere
Disco  2009-03-17 18:13:49
Chain DMU (1 references) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- any any anywhere anywhere
Disco  2009-03-17 18:14:27
interface vif1.0 is correct, but still able to ping. DMU jump rule in INPUT chain is the first entry, but still not filtering.
Disco  2009-03-17 18:15:26
Ah, I think I know what the problem is ... thinking about it ...
Eddie  2009-03-17 19:07:22
I think the INPUT chain is maybe not the right place to check for this, but I'm not sure what is. I'll have to fiddle with my myself. If I can find a working answer I'll update this post.
Eddie  2009-03-17 23:11:50
Is there any 'simple' example ? INPUT is actually parsed but not chains i put there with 'jump'. Running redhat, maybe iptables is different ?
Disco  2009-03-18 14:01:54
OK, after thinking about it overnight, I put in place a different answer that I hope will help. I added a couple links that I think you'll find useful.
Eddie  2009-03-18 15:23:49
Ok checked out the links. Nothing useful there.Oh, i forgot to mention it's a bridged configuration :
Disco  2009-03-18 17:13:13
bridge name bridge id STP enabled interfacesxenbr0 8000.00e0813169fc no vif1.0 eth0If that helps ...
Disco  2009-03-18 17:13:44
one more news : iptables -A FORWARD -m physdev --physdev-in vif7.0 --physdev-out vif7.0 -j ACCEPTiptables: Unknown error 4294967295
Disco  2009-03-18 17:33:04
Does this mean my answer above does not work?
Eddie  2009-03-18 17:40:01
Nope, it doesn't :(
Disco  2009-03-18 17:48:06
How does my answer above fail? The rules apply fine but you can still ping from another machine into the virtual machine?
Eddie  2009-03-18 18:07:33
Yes, so it's not working, the goal is to block 'ping' (or any other service) from the bridge to any other vif.
Disco  2009-03-18 18:24:11
But from where are you trying to ping? From the same machine or from another machine?
Eddie  2009-03-18 18:51:27
Is the chain domUFirewall actually getting called? We need to figure out where the failure is.
Eddie  2009-03-18 19:18:08
Actually, not. Since iptables -L -v gives '0' packets being matched.Trying to add a '-m physdev' parameter gives the '4294967295' error (see above)
Disco  2009-03-18 19:25:16
Are you adding on the FORWARD or the INPUT chain? (or both)
Eddie  2009-03-18 19:29:36
tried both; i see that FORWARD chain is not being called at all (0 packets)
Disco  2009-03-18 19:30:13
OK, the xen bridge must be doing something I'm not aware of ... it must be intercepting these packets before they get to the normal packet filter, or otherwise handling them in some special way ... research is called for....
Eddie  2009-03-18 20:10:31
You may have to use ebtables....
Eddie  2009-03-18 20:17:11
Problem is that with xenserver you can't add any other repositories ...
Disco  2009-03-18 20:24:49
Are you saying that the ebtables command is not present on your xen host server?
Eddie  2009-03-18 20:34:13
Yep, part of the 'citrix' politics ... but i think it's a simple centos base; i'll try to fetch them manually and keep you up.
Disco  2009-03-18 20:35:33
ok, bad news; ebtables doesn't seem to exist on centos :(
Disco  2009-03-18 20:47:57
Compiling from source ... in the meantime; what could be the config for ebtables to handle vif's etc ?
Disco  2009-03-18 20:49:35
OK, while it's compiling, let's try a few last iptables commands ... try iptables -t nat -I POSTROUTING -d xx.xx.xx.xx -p icmp -j DROP
Eddie  2009-03-18 21:27:00
I'm looking at http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html to try to figure out how the packets jump between iptables chains and ebtables chains, and how the ip address, ethernet address, etc, change at each step.
Eddie  2009-03-18 21:27:34
Yowza!!! Check out this diagram of packet flow: http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png
Eddie  2009-03-18 21:30:09
Yess !! Finally got it working ! After installing ebtables, i've been able to put the rules inside. Works like a charm now ! Thank you very very very much for your help !
Disco  2009-03-18 22:35:54
Excellent! Glad we got it working.
Eddie  2009-03-18 22:45:31

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?