Post

Network antispoof with Xen 4.x

I’ve recently set up a new Xen Dom0 for use by a lot of people - many of whom I may not know very well. This being the case, I want to make sure that people behave and don’t take more than they are allocated. The big thing that I needed to solve was people just taking IP addresses out of the /24 assigned to the server.

Xen 3.4.1 had a working solution, however it seems to be completely broken in 4.x.

So, to solve this, I found that you can do some magic in iptables to give the same result.

1) Enable iptables on bridging interfaces in /etc/sysctl.conf

1
net.bridge.bridge-nf-call-iptables = 1

Then reload the file using sysctl -p

2) Write the rules in /etc/sysconfig/iptables:

1
2
3
4
5
6
7
8
9
10
11
12
*filter
:INPUT ACCEPT [26:2197]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [444:63703]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.1.10/32 -m mac --mac-source 11:22:33:44:55:66 -j ACCEPT
-A FORWARD -s 192.168.1.11/32 -m mac --mac-source 11:22:33:44:55:67 -j ACCEPT
-A FORWARD -j DROP
COMMIT

3) When you set up the DomU config file in /etc/xen, alter your vif line to specify the MAC address:

1
vif             = [ 'mac=11:22:33:44:55:66,bridge=br0' ]

Now for the explanation. When a packet gets sent TO the DomU, the destination rule is hit and the packet flows TO the DomU. When the DomU replies, if its MAC address doesn’t match the one in –mac-source, then the packet is dropped.

The added benefit here is that as we DROP everything else, if the DomU tries to change IP or grab an IP not associated with a MAC, the packets will just get dropped.

Sadly, theres nothing you can do to stop people from using other entries you put on the list - however it does stop random resource grabs for IPs.

This post is licensed under CC BY 4.0 by the author.