toic.org - Entries for the category Virtualizationhttps://toic.org/blog/categories/linux/virtualization/Ramblings about virtualization and all things virtualen-usZinniaWed, 07 Oct 2015 17:17:53 +0000Firewalling xen bridge https://toic.org/blog/2009/firewalling-xen-bridge/<p>Occasionally you will wish to block certain ports to your DomUs from Dom0. By default you wish to allow any traffic from and to DomU but for some security considerations, I found it to be wise to block some ports to and from my clients DomUs. One such port range is for example IRC. Although it can be routed trough alternate ports, most of automated malicious scripts use default ones. It's quite handy to block them so they ain't able to contact home.</p> <p>As said by default Xen bridge is open for all traffic from and to DomUs. It's up to DomU admin to firewall their own virtual machine. Unfortunately some just forget to do the proper securing of the system, and as a result you get compromised DomU contacting various botnets, and executing all kind of nasty stuff.</p> <p>To prevent this we can make a firewall rules in DomU that will by default block some traffic. Since I'm using bridged network, firwalling must be done on bridge. I found <a class="reference external" href="http://www.shorewall.net/Xen.html">this</a> great article on shorewall manuals explaining how to setup bridged network firewall. I installed it and tested it on 32bit Centos 5.2, but it should work on any system.</p> <p>Fist of all you will need to <a class="reference external" href="http://shorewall.net/download.htm">download</a> and install latest shorewall.</p> <p>As stated in documentation link above, you must enable bridge support in shorewall.conf:</p> <pre class="literal-block"> nano /etc/shorewall/shorewall.conf </pre> <p>Set:</p> <pre class="literal-block"> BRIDGING=Yes </pre> <p>Now we have to edit our firewall zones:</p> <pre class="literal-block"> nano /etc/shorewall/zones </pre> <p>It should look something like this:</p> <pre class="literal-block"> #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw &nbsp; &nbsp;firewall dom0 ipv4 domU ipv4 net ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE </pre> <p>Next thing to do is to define network interfaces, we will be dealing with two network interfaces: virtualized eth0 and bridge:</p> <pre class="literal-block"> nano /etc/shorewall/interfaces </pre> <p>And the file should look like this:</p> <pre class="literal-block"> #ZONE INTERFACE &nbsp; &nbsp;BROADCAST &nbsp; &nbsp;OPTIONS - &nbsp; &nbsp;xenbr0 - dhcp net eth0 detect dhcp #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </pre> <p>Next stop, hosts file:</p> <pre class="literal-block"> nano /etc/shorewall/hosts </pre> <p>And the file should look like this:</p> <pre class="literal-block"> #ZONE HOST(S) OPTIONS dom0 xenbr0:vif0.0 domU xenbr0:vif+ &nbsp; &nbsp; routeback net xenbr0:peth0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE </pre> <p>Now let's make some policies in our firewall:</p> <pre class="literal-block"> nano /etc/shorewall/policy </pre> <p>And the file should look like this:</p> <pre class="literal-block"> #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK fw &nbsp; &nbsp;all ACCEPT all fw &nbsp; &nbsp;ACCEPT info dom0 all ACCEPT all dom0 ACCEPT info domU all ACCEPT all domU &nbsp; &nbsp; ACCEPT net net NONE all all REJECT info #LAST LINE -- DO NOT REMOVE </pre> <p>This will by default allow any traffic through the bridge. You can also specify DROP policy for your Dom0 and then open necessary ports in rules file. Note that the fw and dom0 are the same but they both need to be declared in policy and rules file. So... for now, this does not block IRC traffic as we started to do, all we need to do now is to setup the rules file:</p> <pre class="literal-block"> nano /etc/shorewall/rules </pre> <p>And the file should look like this:</p> <pre class="literal-block"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT &nbsp; &nbsp;TIME PORT PORT(S) DEST LIMIT GROUP #irc REJECT net domU tcp 6660:6669 REJECT domU net tcp 6660:6669 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </pre> <p>After adding this, it will block all incoming and outgoing traffic from port range 6660 to 6669 for all DomUs. If you wish to add an exception to one DomU you can simply edit the rules file and insert the exception above the REJECT:</p> <pre class="literal-block"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT &nbsp; &nbsp;TIME PORT PORT(S) DEST LIMIT GROUP #DomU exceptions ACCEPT net domU:192.168.0.10 &nbsp; &nbsp;tcp 6660:6669 ACCEPT domU:192.168.0.10 &nbsp; &nbsp;net tcp 6660:6669 #DomU restrictions #irc REJECT net domU tcp 6660:6669 REJECT domU net tcp 6660:6669 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </pre> <p>This way only the DomU with ip 192.168.0.10 will have unblocked IRC ports. Although the above config should work it didn't for me. Centos 5.2 by default comes with:</p> <pre class="literal-block"> net.bridge.bridge-nf-call-iptables = 0 </pre> <p>so no bridge firewalling is actually done. To enable this edit your sysctl.conf file:</p> <pre class="literal-block"> nano /etc/sysctl.conf </pre> <p>and append:</p> <pre class="literal-block"> net.bridge.bridge-nf-call-iptables = 1 </pre> <p>now run:</p> <pre class="literal-block"> sysctl -p </pre> <p>And the bridged firewall for your DomUs should work now.</p> branko@toic.org (branko)Sun, 19 Apr 2009 19:52:29 +0000https://toic.org/blog/2009/firewalling-xen-bridge/VirtualizationMultiple network interfaces in Xen https://toic.org/blog/2008/multiple-network-interfaces-in-xen/<p>By default xen tools comes with only one network interface enabled for your dom0 and domU machines. So what if you want to add some more? It's actually very simple.</p> <p>All you need to do is run:</p> <p>/etc/xen/scripts/network-bridge start vifnum=1 netdev=eth1 bridge=xenbr1</p> <p>This will effectively create one extra xenbr attached to eth1 interface. You can repeat the above command for all your interfaces, and you can stop them in the same manner, just replace start with stop.</p> <p></p> <p>To enable this automatically you can create file named, multi-network-bridge:</p> <pre class="literal-block"> vim /etc/xen/scripts/multi-network-bridge </pre> <p>paste this:</p> <pre class="literal-block"> #!/bin/sh /etc/xen/scripts/network-bridge $&#64; vifnum=0 netdev=eth0 bridge=xenbr0 /etc/xen/scripts/network-bridge $&#64; vifnum=1 netdev=eth1 bridge=xenbr1 </pre> <p>Of course you can add up as many interfaces you like in this script. After you have added your interfaces, you need to edit xend-config.spx file:</p> <pre class="literal-block"> vim /etc/xen/xend-config.spx </pre> <p>Find a line defining network script, it should by default look like this:</p> <pre class="literal-block"> (network-script network-bridge) </pre> <p>Edit it so it contains your newly created multi network bridge script. In my case it should look like:</p> <pre class="literal-block"> (network-script multi-network-bridge) </pre> <p>All you need to do now is restart xend service:</p> <pre class="literal-block"> /etc/init.d/xend restart </pre> <p>New network bridge named xenbr1 should be available now.</p> <p><strong>How can I add up another network bridge to my domU machine?</strong></p> <p>It's pretty simple actually, you already have defined <strong>vif</strong> statements for current network interface, all you need to do now is edit that domU config file, precisely <strong>vif</strong> line and add up another xenbr interface.</p> <p>For example, if my domU vif line looks like this:</p> <pre class="literal-block"> vif = ['ip=xx.xxx.167.4, vifname=vifbran0, rate = 10000KB/s, bridge=xenbr0'] </pre> <p>with another xenbr interface it should look like this:</p> <pre class="literal-block"> vif = ['ip=89.201.167.4, vifname=vifbran0, rate = 10000KB/s, bridge=xenbr0', 'ip=192.168.1.10, vifname=vifbran1, rate = 10000KB/s, bridge=xenbr1'] </pre> <p>Also if you wish to use <a class="reference external" href="/blog/2008/09/22/preventing-ip-conflicts-in-xen/">ip conflict prevention</a> you must add additional mac section in vif configuration. Restart your domU and voila, another network interface is present</p> branko@toic.org (branko)Mon, 06 Oct 2008 19:44:41 +0000https://toic.org/blog/2008/multiple-network-interfaces-in-xen/LinuxVirtualizationPreventing ip conflicts in xen https://toic.org/blog/2008/preventing-ip-conflicts-xen/<p>Lately I was playing with stock xen kernel and virtualization, and I came across one relatively big problem. Let’s say I want to share my guest machines to, let’s say clients. You must give them root… because that’s whats VPS-es all all about, having root access to OS without having to purchase expensive hardware. Having that in mind they are by default untrusted and unpredictable, they can do god knows what in there!</p> <p>So what caught my eye?</p> <p>By default xen, and available management tools, don’t really have a way of sorting out IP conflicts in bridged mode. Basically you have bunch of scripts that will provision VPS alongside with IP address. Looking at the conf files you have vif and IP declarations in vm_xen.conf file. <br /></p> <p>But what is really preventing clients from entering:</p> <pre class="literal-block"> ifconfig eth0 xxx.xxx.xxx.xxx </pre> <p>where xxx is ip of some super important server in same netmask?</p> <p>Luckily, I came across this problem while still in testing, here’s what I found and came up with after 3 days intensive googling.</p> <p>Xen supports IP declaration in <strong>vif</strong> statment of domU config file like this:</p> <pre class="literal-block"> vif = ['ip=xxx.xxx.xxx.xxx, more parametars here....'] </pre> <p>Also you can declare multiple IP's by simply putting space between them, like this:</p> <pre class="literal-block"> vif = ['ip=xxx.xxx.xxx.xx1 xxx.xxx.xxx.xx2, more parametars here....'] </pre> <p>For the purpose of IP conflict prevention make sure you declare unique mac address in vif section to.</p> <p>So what does this IP thingy in <strong>vif</strong> do? Absolutely nothing (at least not yet)!</p> <p>Next step is to install ebtables (<a class="reference external" href="http://ebtables.sourceforge.net/">http://ebtables.sourceforge.net/</a>) on your distro. Then all we need to do is patch up a vif-bridge script located in /etc/xen/scripts/</p> <p>So here’s the diff:</p> <pre class="literal-block"> --- vif-bridge-org 2008-07-30 21:26:16.000000000 +0200 +++ vif-bridge 2008-07-30 21:30:59.000000000 +0200 &#64;&#64; -57,15 +57,35 &#64;&#64; online) setup_bridge_port &quot;$vif&quot; add_to_bridge &quot;$bridge&quot; &quot;$vif&quot; - ;; - + ebtables -N $vif + ebtables -P $vif DROP + ebtables -A INPUT -i $vif -j $vif + ebtables -A FORWARD -i $vif -j $vif + ebtables -A $vif -p ARP --arp-opcode 1 -j ACCEPT + + if [ ! -z &quot;$ip&quot; ] + then + for oneip in $ip + do + ebtables -A $vif -p IPv4 --ip-src $oneip -j ACCEPT + ebtables -A $vif -p IPv4 --ip-dst $oneip -j ACCEPT + ebtables -A $vif -p ARP --arp-opcode 2 --arp-ip-src $oneip -j ACCEPT + done + ebtables -A $vif --log-prefix=&quot;arp-drop&quot; --log-arp -j DROP + fi + ;; + offline) do_without_error brctl delif &quot;$bridge&quot; &quot;$vif&quot; do_without_error ifconfig &quot;$vif&quot; down - ;; + do_without_error ebtables -D INPUT -i $vif -j $vif + do_without_error ebtables -D FORWARD -i $vif -j $vif + do_without_error ebtables -F $vif + do_without_error ebtables -X $vif + ;; esac-handle_iptable +#handle_iptable log debug &quot;Successful vif-bridge $command for $vif, bridge $bridge.&quot; if [ &quot;$command&quot; == &quot;online&quot; ] </pre> <p>Asuming you use bridging scripts this effectively restricts IP address(es) from &quot;vif = ['ip=xxx.xxx.xxx.xxx']&quot; list to <strong>mac</strong> addresses in <strong>vif</strong> list. Restrictoins are done while booting up VPS and removed when powering it off. This way untrusted user is limited only to IP addresses defined in xen guest conf file. Trying to change existing IP address into another IP on network will only render that machine unresponsive.</p> branko@toic.org (branko)Mon, 22 Sep 2008 19:07:40 +0000https://toic.org/blog/2008/preventing-ip-conflicts-xen/LinuxVirtualization