Since you're using XEN with bridged networking, packets are being intercepted at a level before ordinary iptables commands can influence them. Thus, you'll probably need to use the ebtables command to influence packet routing in the way that you want to.
Original answer left below that will work for other configurations, but not for XEN with bridged networking.
I am going to pretend for the sake of example that the IP address of vif1.0 is 192.168.1.100.
I would redo the logic to not check the input device, but to instead check by IP Address. At the input chain, the packet is coming from (say) device eth0, not from vif1.0. Thus, this rule:
iptables -I INPUT -i vif1.0 -j domUFirewall
that I previously proposed will never match any packets. However, if you do the following, it should do what you want:
where in this case the chain domUFirewall is set up by:
iptables -N domUFirewall
iptables -F domUFirewall
iptables -A domUFirewall -p icmp -j DROP
If a given chain is for a single device, then you want to make this check before jumping into the chain, on a rule with the "-j chainName" action. Then, in the chain itself, you never have to check for the device or IP Address.
Second, I would always flush (empty) the chain in your script, just in case you're re-running the script. Note that when you rerun the script, you may get complaints on the -N line. That's OK.
There are other ways you could do this, but to give a different example, I would need to know specifically how your VM is set up -- bridged networking? NAT? Etc. But the example I gave here should work in any of these modes.
发布评论
评论(1)
由于您使用带有桥接网络的 XEN,因此在普通 iptables 命令影响数据包之前,数据包就会被拦截。 因此,您可能需要使用 ebtables 命令以您想要的方式影响数据包路由。
下面留下的原始答案适用于其他配置,但不适用于桥接网络的 XEN。
为了举例,我假设
vif1.0的 IP 地址是 192.168.1.100。我会重做逻辑,不检查输入设备,而是按 IP 地址进行检查。 在输入链中,数据包来自(例如)设备
eth0,而不是来自vif1.0。 因此,我之前提出的这条规则永远不会匹配任何数据包。 但是,如果您执行以下操作,它应该执行您想要的操作:
在这种情况下,链
domUFirewall设置如下:如果给定链适用于单个设备,那么您希望将其设置为在跳入链之前,使用“
-j chainName”操作检查规则。 然后,在链本身中,您无需检查设备或 IP 地址。其次,我总是会刷新(清空)脚本中的链,以防万一您重新运行脚本。 请注意,当您重新运行脚本时,您可能会在
-N行收到投诉。 没关系。还有其他方法可以做到这一点,但举一个不同的例子,我需要具体了解您的虚拟机是如何设置的——桥接网络? 网络地址转换? 等等,但我在这里给出的示例应该可以在任何这些模式下工作。
以下是一些对未来有用的链接:
Since you're using XEN with bridged networking, packets are being intercepted at a level before ordinary iptables commands can influence them. Thus, you'll probably need to use the
ebtablescommand to influence packet routing in the way that you want to.Original answer left below that will work for other configurations, but not for XEN with bridged networking.
I am going to pretend for the sake of example that the IP address of
vif1.0is 192.168.1.100.I would redo the logic to not check the input device, but to instead check by IP Address. At the input chain, the packet is coming from (say) device
eth0, not fromvif1.0. Thus, this rule:that I previously proposed will never match any packets. However, if you do the following, it should do what you want:
where in this case the chain
domUFirewallis set up by:If a given chain is for a single device, then you want to make this check before jumping into the chain, on a rule with the "
-j chainName" action. Then, in the chain itself, you never have to check for the device or IP Address.Second, I would always flush (empty) the chain in your script, just in case you're re-running the script. Note that when you rerun the script, you may get complaints on the
-Nline. That's OK.There are other ways you could do this, but to give a different example, I would need to know specifically how your VM is set up -- bridged networking? NAT? Etc. But the example I gave here should work in any of these modes.
Here are some useful links for the future: