Original post date: March 30th, 2011
Updated: April 4th, 2011 (missing rule in prolog)
It's a kind of a problem to manage a firewall for a Xen dom0 with firewall builder. Xen itself adds forwarding rules when starting a virtual machines, and these rules are wiped away when fwbuilder scripts install theirs, which is unfortunate.
Summing up everything, the final plan was to install a firewall on dom0, which should a) forward to the VM the packets originating outside and directed to them (and back), and b) protect the dom0 itself.
It took me some time, experiments and advice to get it right, and here's how. …Xen mediates the connections to the virtual machines using bridging. To make the firewall work properly I needed to mark it as a bridging firewall in fwbuilder; then, I needed it to and have it to deal properly with the iptables' physdev module.
I tested some different possible solutions and also asked for advice on the fwbuilder-discussion list. Rebuilding the standard set of Xen rules is easy indeed, and the few shell script lines could easily fit an epilog script in fwbuilder. But I felt like that it was not the solution I was looking for.
So, the final plan formed with this shape:
- set the policy to DROP
- allow all outgoing traffic
- forward all connections entering the machine from an external interface and wishing to go to a vif interface
- forward all connections going out from a vif interface, wherever they want to go
- allow connections going to the dom0 interfaces for "permitted" services
- drop all the rest
- Then, configure individual firewalls for each virtual machine.
The difficult part was to get the third and fourth point into place, and it's not hard. Actually, it's enough to add these two lines as a prolog:
$IPTABLES -A FORWARD -m physdev --physdev-in peth+ --physdev-out vif+ -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-in vif+ --physdev-out peth+ -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-in vif+ --physdev-out vif+ -j ACCEPT
This prolog should be set to run after policy reset.
That's all! dom0 is now properly firewalled, and you should now firewall each VM as an independent entity, applying iptables rules inside the VM.