Firewalling xen bridge
Occasionally you will wish to block certain ports to your DomUs from Dom0. By default you wish to allow any traffic from and to DomU but for some security considerations, I found it to be wise to block some ports to and from my clients DomUs. One such port range is for example IRC. Although it can be routed trough alternate ports, most of automated malicious scripts use default ones. It's quite handy to block them so they ain't able to contact home.
As said by default Xen bridge is open for all traffic from and to DomUs. It's up to DomU admin to firewall their own virtual machine. Unfortunately some just forget to do the proper securing of the system, and as a result you get compromised DomU contacting various botnets, and executing all kind of nasty stuff.
To prevent this we can make a firewall rules in DomU that will by default block some traffic. Since I'm using bridged network, firwalling must be done on bridge. I found this great article on shorewall manuals explaining how to setup bridged network firewall. I installed it and tested it on 32bit Centos 5.2, but it should work on any system.
Fist of all you will need to download and install latest shorewall.
As stated in documentation link above, you must enable bridge support in shorewall.conf:
nano /etc/shorewall/shorewall.conf
Set:
BRIDGING=Yes
Now we have to edit our firewall zones:
nano /etc/shorewall/zones
It should look something like this:
#ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall dom0 ipv4 domU ipv4 net ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
Next thing to do is to define network interfaces, we will be dealing with two network interfaces: virtualized eth0 and bridge:
nano /etc/shorewall/interfaces
And the file should look like this:
#ZONE INTERFACE BROADCAST OPTIONS - xenbr0 - dhcp net eth0 detect dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Next stop, hosts file:
nano /etc/shorewall/hosts
And the file should look like this:
#ZONE HOST(S) OPTIONS dom0 xenbr0:vif0.0 domU xenbr0:vif+ routeback net xenbr0:peth0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
Now let's make some policies in our firewall:
nano /etc/shorewall/policy
And the file should look like this:
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK fw all ACCEPT all fw ACCEPT info dom0 all ACCEPT all dom0 ACCEPT info domU all ACCEPT all domU ACCEPT net net NONE all all REJECT info #LAST LINE -- DO NOT REMOVE
This will by default allow any traffic through the bridge. You can also specify DROP policy for your Dom0 and then open necessary ports in rules file. Note that the fw and dom0 are the same but they both need to be declared in policy and rules file. So... for now, this does not block IRC traffic as we started to do, all we need to do now is to setup the rules file:
nano /etc/shorewall/rules
And the file should look like this:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME PORT PORT(S) DEST LIMIT GROUP #irc REJECT net domU tcp 6660:6669 REJECT domU net tcp 6660:6669 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
After adding this, it will block all incoming and outgoing traffic from port range 6660 to 6669 for all DomUs. If you wish to add an exception to one DomU you can simply edit the rules file and insert the exception above the REJECT:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME PORT PORT(S) DEST LIMIT GROUP #DomU exceptions ACCEPT net domU:192.168.0.10 tcp 6660:6669 ACCEPT domU:192.168.0.10 net tcp 6660:6669 #DomU restrictions #irc REJECT net domU tcp 6660:6669 REJECT domU net tcp 6660:6669 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
This way only the DomU with ip 192.168.0.10 will have unblocked IRC ports. Although the above config should work it didn't for me. Centos 5.2 by default comes with:
net.bridge.bridge-nf-call-iptables = 0
so no bridge firewalling is actually done. To enable this edit your sysctl.conf file:
nano /etc/sysctl.conf
and append:
net.bridge.bridge-nf-call-iptables = 1
now run:
sysctl -p
And the bridged firewall for your DomUs should work now.