Firewalling xen bridge

Occasionally you will wish to block certain ports to your DomUs from Dom0. By default you wish to allow any traffic from and to DomU but for some security considerations, I found it to be wise to block some ports to and from my clients DomUs. One such port range is for example IRC. Although it can be routed trough alternate ports, most of those automated nasty malicious scripts use default ones. It’s quite handy to block them so they ain’t able to contact home.

As said by default Xen bridge is open for all traffics towards and from DomUs. It’s up to DomU admin to firewall their own virtual machine. Unfortunately some just forget to do the proper securing of the system, and as a result you get compromised DomU contacting various botnets, and executing all kind of nasty stuff.

To prevent this we can make a firewall rules in DomU that will by default block some traffic. Since I’m using bridged network firwalling must be done on bridge. I found this great article on shorewall manuals how  to setup bridged network firewall. I installed it and tested it on 32bit Centos 5.2 should work on any system though but I didn’t tested it on any other.


Fist of all you will need to download and install latest shorewall. As stated in documentation link above: Because Xen uses normal Linux bridging, you must enable bridge support in shorewall.conf

nano /etc/shorewall/shorewall.conf

Set

BRIDGING=Yes

Now we have to edit our firewall zones:

nano /etc/shorewall/zones

It should look something like this (link to file):

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw    firewall
dom0    ipv4
domU    ipv4
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Next thing to do is to define network interfaces, we will be dealing with two network interfaces: virtualized eth0 and bridge.

nano /etc/shorewall/interfaces

And the file should look like this (link to file):

#ZONE   INTERFACE    BROADCAST    OPTIONS
-    xenbr0          -               dhcp
net     eth0            detect          dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

And next we must edit hosts file

nano /etc/shorewall/hosts

And the file should look like this (link to file):

#ZONE   HOST(S)                                 OPTIONS
dom0    xenbr0:vif0.0
domU    xenbr0:vif+                            routeback
net     xenbr0:peth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

Now let’s make some policies in our firewall:

nano /etc/shorewall/policy

And the file should look like this (link to file):

#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
fw    all     ACCEPT
all     fw    ACCEPT         info
dom0    all     ACCEPT
all     dom0    ACCEPT         info
domU    all     ACCEPT
all    domU        ACCEPT
net     net     NONE
all     all     REJECT         info
#LAST LINE -- DO NOT REMOVE

This will by default allow any traffic through the bridge. You can also specify DROP policy for your Dom0 and then open necessary  the ports in rules file. Note that the fw and dom0 are the same the same but they both need to be declared in policy and rules file. So… for now this all does not block IRC traffic as we started to do, so all we need to do now is to setup the rules file.

nano /etc/shorewall/rules

And the file should look like this (link to file):

#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE   ORIGINAL        RATE            USER/   MARK    CONNLIMIT    TIME                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#irc
REJECT          net             domU            tcp     6660:6669
REJECT          domU            net             tcp     6660:6669
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Now this will block all incoming and outgoing traffic from port range 6660 to 6669 for all DomUs. If you wish to add an exception to one DomU you can simply edit the rules file and insert the exception above the REJECT (sample exception config):

#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE   ORIGINAL        RATE            USER/   MARK    CONNLIMIT    TIME                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#DomU exceptions
ACCEPT  net     domU:192.168.0.10    tcp     6660:6669
ACCEPT  domU:192.168.0.10    net     tcp     6660:6669

#DomU restrictions
#irc
REJECT          net             domU            tcp     6660:6669
REJECT          domU            net             tcp     6660:6669
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

This way only the DomU with ip 192.168.0.10 will have unblocked IRC ports. Although the above config should work it didn’t for me. Centos 5.2 by default comes with

net.bridge.bridge-nf-call-iptables = 0

so no bridge firewalling is actually done. To enable this edit your sysctl.conf file

nano /etc/sysctl.conf

and append:

net.bridge.bridge-nf-call-iptables = 1

now run:

sysctl -p

And the bridged firewall for your DomUs should work now.

Related posts:

  1. Multiple network interfaces in Xen
  2. Preventing ip conflicts in xen

2009
04/19
CATEGORY
The Art of Virtual
2 comments
    • Charlie Smurthwaite
    • September 30th, 2009

    Another fantastic way of firewalling Xen machines in Centos, which covers antispoofing of IPs and MAC addresses, as well as ARP traffic of covered in detail here:

    http://www.standingonthebrink.com/index.php/ipv6-ipv4-and-arp-on-xen-for-vps/

    • entplex
    • March 28th, 2010

    I don’t believe this configuration works with kernel 2.6.20+ Has anyone found any viable work-a-rounds?

  1. No trackbacks yet.