Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Aug 23, 2017 8:59 am


Software and Hardware virtualization, Linux Kernel Virtualization Module, FreeBSD jails, Vmware, Virtualbox, Xen

Author Message
debuser
Post  Post subject: Iptables filtering Xen bridged domains & enforcing specific IP address for each of these domains  |  Posted: Sun Dec 04, 2011 12:21 am

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
 

Iptables filtering Xen bridged domains & enforcing specific IP address for each of these domains

I can write this nice article on filtering Xen bridged domains with iptables and enforcing a specific IP address for each of the virtual machines, thus being able to add security to your VPS servers.

In following setup, Xen dom9 (id 9) is a virtual machine that I want to enforce IP X.X.X.18/28 connected via vmnet9 bridged interface (eth0 inside the VM).

Listing Xen domains (main & slave domains, aka virtual machines):
Code:
host# xm list
Name                                        ID   Mem VCPUs      State   Time(s)
Domain-0                                     0 13566     8     r-----   2202.0
test-vm                                      9   507     2     -b----     14.9


Virtual machine configuration (stealing an IP of another virtual machine):
Code:
test-vm# ip a l eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:16:3e:3a:0a:1a brd ff:ff:ff:ff:ff:ff
    inet X.X.X.18/28 brd X.X.X.31 scope global eth0
    inet6 fe80::216:3eff:fe3a:a1a/64 scope link
       valid_lft forever preferred_lft forever

test-vm# ip a del X.X.X.18/28 dev eth0
test-vm# ip a add X.X.X.21/28 dev eth0


Above, I have changed the IP address of my test-vm that was assigned by XEN with the IP of another VPS. To test this:
Code:
test-vm# ping -c 1 yahoo.com
PING yahoo.com (209.191.122.70) 56(84) bytes of data.
64 bytes from ir1.fp.vip.mud.yahoo.com (209.191.122.70): icmp_req=1 ttl=51 time=143 ms

--- yahoo.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 143.540/143.540/143.540/0.000 ms

Unfortunately, with default configuration, it is possible for one VPS to spoof or use/steal the IP address of another VPS.

How to prevent IP spoofing or IP stealing between VPS servers on the same XEN domain
Note: On XEN bridged domains, packets for the slave domains are being inspected at the "FORWARD" iptables chain, so this is what we have to play with.

First step is to make sure that xen runs the packets for and from bridged domains through iptables. Make sure following sysctl mib has value "1" for ipv4:
Code:
host# sysctl net.bridge.bridge-nf-call-iptables=1


Iptables configuration for preventing IP spoofing or IP stealing between VPS servers on the same XEN domain
Code:
host# iptables -L FORWARD -n --line-numbers -v
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     6029  432K ACCEPT     all  --  eth0   *       0.0.0.0/0            X.X.X.16/28     
2      480  157K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in vmnet9 udp spt:68 dpt:67
3    12054  893K ACCEPT     all  --  *      *       X.X.X.18              0.0.0.0/0           PHYSDEV match --physdev-in vmnet9
4      769 89282 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
5      731 86162 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Explanation:
iptables rule FORWARD chain default policy is to ACCEPT (not a good practice, but my last rule DROPS everything not matched by previous rules)
iptables rule 1) Accepts all packets coming on eth0 from the internet with any source and destination X.X.X.16/28 (the IP subnet for hosted VPS servers).
iptables rule 2) Accepts all packets coming on bridged interface vmnet9 (test-vm bridged interface) protocol UDP, source ANY, destination ANY source port 68 destination port 67. (You've guessed it: DHCP request from virtual machines)
iptables rule 3) Accepts all packets coming on bridged interface vmnet9 (test-vm bridged interface) having as source IP X.X.X.18 and destination ANY. This maps IP X.X.X.18 to this virtual machine only making it impossible for other virtual machines to use it.
iptables rule 4) Logs all packets before they are dropped
iptables rule 5) Drops all packets not being matched by any of the above rules.

Done.

This article was provided by spidervps, providing secure & cheap VPS. Details:
- no over selling (bad for business and for clients)
- physical servers are located in Germany
- Supported OS: Centos 5 and 6, Debian 5 and 6, Fedora and other Linux distros.
- Very easy to use user interface
- Price starting from 6.99 Euro/mo
- Assistance & prompt support
- Security for your VPS
More info: https://www.spidervps.com/vpsoffer.html or mysql replication starting from 1.99 Euro/mo https://www.spidervps.com/MySQLReplicationOffer.html





Top
Display posts from previous:  Sort by  
E-mail friendPrint view
Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO