[Pkg-xen-devel] Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh
Sebastian Piecha
sebastian at piecha.net
Tue Nov 6 13:36:41 GMT 2018
Hi Hans,
I actually solved this issue by:
1) I disabled all the original iptables creation rules in the xen scripts.
2) I configure all IP-addresses and vif-names in the domU config files
(I want control about the IP address I assign to a domU, if somebody
changed the IP address in the domU the communication is broken then)
3) The iptables rules for the my virtualized firewall are loaded directly by iptables.
4) All iptables rules for the domU are created by the xen scripts - I
created new iptables creation rules in the xen scripts.
The advantage of this approach is that with every new domU the right
iptables rules get created and I don't have to mess around with
iptables. The drawback is that in case I reload iptables the
antispoofing rules are gone - but without them all communication to the
domUs is blocked (just not to the firewall), so I know immediately I
need to insert these rules again.
I had to adjust the iptables rules as the one I originally suggested
only secure the first domU. With the second domU the rules get
sidelined. To achieve antispoofing there are drop and accept rules
needed per domU based on its IP address from the domU config. All drop
rules for all domUs have to be evaluated first. The accept rules need to
be evaluated after evaluation of the drop rules. It is a bit difficult
to achieve that automatically in iptables without inspecting the
existing rule base first. I achieved that by a trick - I created a new
chain called domU and inserted that into the FORWARD chain (done by
iptables rules config). In the new domU chain with the start of every
single domU the drop rules get inserted (iptables -I) in the beginning
of that chain, and the accept rules get appended (iptables -A). So I get
the right order and don't need to inspect the iptables rule set.
To get these rules evaluated by iptables a sysctl setting needs to be done:
sysctl net.bridge.bridge-nf-call-iptables=1
With these rules should somebody change the IP address of a running domU
the antispoofing rules would block any traffic. Only by changing the
iptables rules or the IP address in the domU config file a communication
would be possible. To do this dom0 access is needed. That is exactly
what I want as I expose some domUs to the Internet.
Patch for the xen script vim-common.sh:
-----------8<------------
--- vif-common.sh 2018-11-02 17:13:30.813238234 +0100
+++ vif-common.sh.new 2018-11-06 12:22:46.179073064 +0100
@@ -124,15 +124,21 @@
{
if [ "$command" == "online" -o "$command" == "add" ]
then
- local c="-I"
+ local ci="-I"
+ local ca="-A"
else
- local c="-D"
+ local ci="-D"
+ local ca="-D"
fi
- iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
- "$@" -j ACCEPT 2>/dev/null &&
- iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
- -j ACCEPT 2>/dev/null
+ iptables "$ca" domu -m physdev --physdev-is-bridged --physdev-out "$dev" \
+ -p all -d "$2" -j ACCEPT 2>/dev/null &&
+ iptables "$ca" domu -m physdev --physdev-is-bridged --physdev-in "$dev" \
+ -p all -s "$2" -j ACCEPT 2>/dev/null &&
+ iptables "$ci" domu -m physdev --physdev-is-bridged --physdev-out "$dev" \
+ -p all ! -d "$2" -j DROP 2>/dev/null &&
+ iptables "$ci" domu -m physdev --physdev-is-bridged --physdev-in "$dev" \
+ -p all ! -s "$2" -j DROP 2>/dev/null
if [ \( "$command" == "online" -o "$command" == "add" \) -a $? -ne 0 ]
then
@@ -169,11 +175,11 @@
frob_iptable -s "$addr"
done
- # Always allow the domain to talk to a DHCP server.
- frob_iptable -p udp --sport 68 --dport 67
else
# No IP addresses have been specified, so allow anything.
- frob_iptable
+ # needs revision, currently not covered by iptables rules in frob_iptable,
+ # therefore commented out
+ # frob_iptable
fi
release_lock "iptables"
-----------8<------------
And these are the iptable rules look like after some domUs got
started (as it is rather long I copy the relevant FORWARD section with
the new chain domU - domf is one domU, jump another and fw is the
firewall, the interfaces are named vif-domU-bridge):
Chain FORWARD (policy ACCEPT)
target prot opt source destination
domu all -- anywhere anywhere
ACCEPT all -- anywhere anywhere PHYSDEV
match --physdev-in vif-fw-OAM --physdev-is-bridged
ACCEPT all -- anywhere anywhere PHYSDEV
match --physdev-out vif-fw-OAM --physdev-is-bridged
...
REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable
...
Chain domu (1 references)
target prot opt source destination
DROP all -- !192.168.249.3 0.0.0.0/0 PHYSDEV
match --physdev-in vif-jump-FE --physdev-is-bridged
DROP all -- 0.0.0.0/0 !192.168.249.3 PHYSDEV
match --physdev-out vif-jump-FE --physdev-is-bridged
DROP all -- !192.168.240.6 0.0.0.0/0 PHYSDEV
match --physdev-in vif-domf-INT --physdev-is-bridged
DROP all -- 0.0.0.0/0 !192.168.240.6 PHYSDEV
match --physdev-out vif-domf-INT --physdev-is-bridged
DROP all -- !192.168.250.6 0.0.0.0/0 PHYSDEV
match --physdev-in vif-domf-LAN --physdev-is-bridged
DROP all -- 0.0.0.0/0 !192.168.250.6 PHYSDEV
match --physdev-out vif-domf-LAN --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 192.168.250.6 PHYSDEV
match --physdev-out vif-domf-LAN --physdev-is-bridged
ACCEPT all -- 192.168.250.6 0.0.0.0/0 PHYSDEV
match --physdev-in vif-domf-LAN --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 192.168.240.6 PHYSDEV
match --physdev-out vif-domf-INT --physdev-is-bridged
ACCEPT all -- 192.168.240.6 0.0.0.0/0 PHYSDEV
match --physdev-in vif-domf-INT --physdev-is-bridged
ACCEPT all -- 0.0.0.0/0 192.168.249.3 PHYSDEV
match --physdev-out vif-jump-FE --physdev-is-bridged
ACCEPT all -- 192.168.249.3 0.0.0.0/0 PHYSDEV
match --physdev-in vif-jump-FE --physdev-is-bridged
Cheers,
Sebastian
More information about the Pkg-xen-devel
mailing list