Xen: firewall DomU from Dom0

Have you ever wondered how to force some firewall rules on a xen DomU and the DomU root won't be able to use some ports etc?
Well, the only proper way is to firewall DomU from the Dom0 machine.
Here is a way to do it.
This script is just an example. It should be made more universal and can apply to ALL of your DomU's for their protection :-) or logging specific traffic.
/sbin/iptables -N vps
#outbound traffic redirect to vps - a per DomU chain.
/sbin/iptables -I FORWARD -m physdev  --physdev-out peth0 --physdev-in $vifname -j vps
#log some of the traffic
/sbin/iptables -A "vps" -j LOG -m  tcp --dport 80,110,113 --log-level 4 --log-prefix '*DomUNameHere-shows-in-logs*'
#allow some ports
/sbin/iptables -A "vps" -p tcp -m tcp --dport 20 -j RETURN
/sbin/iptables -A "vps" -p tcp -m tcp --dport 21 -j RETURN
/sbin/iptables -A "vps" -p tcp -m tcp --dport 22 -j RETURN
/sbin/iptables -A "vps" -p tcp -m tcp --dport 80 -j RETURN
/sbin/iptables -A "vps" -p tcp -m tcp --dport 443 -j RETURN
/sbin/iptables -A "vps" -p tcp -m tcp --dport 6666 -j RETURN
/sbin/iptables -A "vps" -p tcp -m tcp --dport 6667 -j RETURN
/sbin/iptables -A "vps" -p tcp -m tcp --dport 6668 -j RETURN
/sbin/iptables -A "vps" -p tcp -m tcp --dport 6669 -j RETURN
/sbin/iptables -A "vps" -p udp -m udp --dport 53 -j RETURN
#allow establieshed connections from inside the DomU to go back in
/sbin/iptables -A "vps" -p tcp -m state --state RELATED,ESTABLISHED -j RETURN
#drop all other traffic.
/sbin/iptables -A "vps" -p tcp -j DROP


Trackback specific URI for this entry

This link is not meant to be clicked. It contains the trackback URI for this entry. You can use this URI to send ping- & trackbacks from your own blog to this entry. To copy the link, right click and select "Copy Shortcut" in Internet Explorer or "Copy Link Location" in Mozilla.

No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.