Scope of filters

[Florian Heigl]

Hi,

can one of you help me with a few lines of extra "introduction" to
something I couldn't yet figure?

Say, I have a Xen host that is doing routing for the VMs running on
it.

I would like to protect it from all traffic except ssh, check_mk
(nagios) and one SOAP API port. On the other hand I would have to let
all traffic pass that is aimed for one of the VMs. And on the third
hand (i had that left over from somewhere) it would be all sensible to
do egress filtering in the host so that no VM can i.e. do some
spoofing.

Worse example: I had other xen hosts that have normal ethernet
interfaces (normal rules) and some IPoIB interconnects. On the latter
I wouldn't want any kind of filtering, because of performance concerns
and also because all tcp traffic would not be seen by the firewall
there anyway.

can you show me how you'd usually specify single interfaces in
capirca, or how you'd "let foreign traffic pass"?

I can add some more docs to the wiki once I've understood it :>

[Peter Moody]

This is probably best answered by Tony who actually wrote the iptables module.

--
Peter Moody      Google    1.650.253.7306    
Network Security Engineer  pgp:0xC3410038

[Tony Watson]

Hello Florian,

   As you may have noticed, none of the generators (cisco, juniper, etc) have interface specific arguments.  Generally, a filter is built then applied by an admin to the appropriate router interface.

With iptables there is no way to apply a given filter to a single interface (at least not without using -i/-o argument on each iptables rule).  As such, a generated iptables filter will apply to "all interfaces" on the host.  

However, there are ways to achieve what you want to do.

If, for example, the host is 10.1.1.1/32 and the VMs are all in 192.168.1.0/24 you could simply craft a policy rule at the top of you INPUT and OUTPUT filters such as:

term allow-to-vms {

  destination-address:: VM_NETWORK  (192.168.1.0/24)

  destination-exclude:: VM_HOST (10.1.1.1/32)

  action:: accept

}

...rest of rules...

For the OUTPUT, simply duplicate this rule but replace 'destination-*' with 'source-*'.  This will allow all traffic to and from the VMs, while still protecting the host.  Later rules can permit specific traffic to the host itself (such as ssh).

The policy language also has an option to deal with currently unsupported features.  This command is called "verbatim", and it will inject any specified text into the output policy verbatim (without modification or interpretation.)  So, for example, if you want the iptables policy to apply to all interfaces except for ETH3 where you want to just pass all traffic, you could place the following rule first in your policy.

term allow-all-inbound-for-eth3 {

  verbatim::  iptables "-A INPUT -i eth3 -j ACCEPT"

}
...rest of rules...

Hopefully, this will help.  Please let us know if this works for you.

I have a todo on my development list to add interface specific options to rules which would make this much easier.  Hopefully, I'll get this done shortly.

--

Tony

[Florian Heigl]

Thanks to both of you :)

>    As you may have noticed, none of the generators (cisco, juniper, etc)
> have interface specific arguments.  Generally, a filter is built then
> applied by an admin to the appropriate router interface.

Makes very much sense and I'll build something to apply rules to the
approprite interfaces.
Looking forward to the next tests :)

Florian

--
the purpose of libvirt is to provide an abstraction layer hiding all
xen features added since 2006 until they were finally understood and
copied by the kvm devs.

[watson]

Fyi, a source-interface:: token has been added to the policy language (currently Iptables/speedway only) that allows you to now specify an interface, such as eth1