Recently I’m playing with Xen virtualization, and I came across one protential problem. As I need to share my guest machines to clients, I must give them root privileges… that’s whats VPS-es all about… having root access to OS without having to purchase expensive physical ones. So having that in mind they are by default untrusted and unpredictable. Probably only god knows what they will do on their VMs!
So what’s the exact problem here?
By default xen, and all those tools, like Cpanel / WHM and Webmin, don’t really have a way of sorting out ip conflicts. So basically you have some scripts that will setup clients ip address during his machine startup, you have vif ip statment in the config file. But what’s really holds clients from entering:
# ifconfig eth0 x.x.x.x
Where x.x.x.x is the IP of some super important server in same netmask. Luckily for me I came across this problem while still in testing. Xen supports ip declaration in vif statment of dom config file:
vif = ['ip=x.x.x.x, more parametars here....']
Also you can declare multiple ip’s by simply putting space between them, like this:
vif = ['ip=xx.xx.xx.x1 xx.xx.xx.x2, more parametars here....']
For the purpose of ip conflict prevention make sure you declare unique MAC address in vif section too.
Next step is to install ebtables on your Dom0 box. After that, all we need to do is to apply the following patch for the script vif-bridge located in /etc/xen/scripts/:
[root@dom0 scripts]# diff -u vif-bridge-org vif-bridge
--- vif-bridge-org 2009-11-12 16:31:56.000000000 +0800
+++ vif-bridge 2009-11-12 16:40:38.000000000 +0800
@@ -57,15 +57,41 @@
online)
setup_bridge_port "$vif"
add_to_bridge "$bridge" "$vif"
+
+ ebtables -N $vif
+ ebtables -P $vif DROP
+ ebtables -A INPUT -i $vif -j $vif
+ ebtables -A FORWARD -i $vif -j $vif
+ ebtables -A $vif -p ARP --arp-opcode 1 -j ACCEPT
+
+ if [ ! -z "$ip" ]
+ then
+ for oneip in $ip
+ do
+ ebtables -A $vif -p IPv4 --ip-src $oneip -j ACCEPT
+ ebtables -A $vif -p IPv4 --ip-dst $oneip -j ACCEPT
+ ebtables -A $vif -p ARP --arp-opcode 2 --arp-ip-src $oneip -j ACCEPT
+ done
+
+ ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP
+
+ fi
+
;;
offline)
do_without_error brctl delif "$bridge" "$vif"
do_without_error ifconfig "$vif" down
+
+ do_without_error ebtables -D INPUT -i $vif -j $vif
+ do_without_error ebtables -D FORWARD -i $vif -j $vif
+ do_without_error ebtables -F $vif
+ do_without_error ebtables -X $vif
+
;;
esac
-handle_iptable
+#handle_iptable
log debug "Successful vif-bridge $command for $vif, bridge $bridge."
if [ "$command" == "online" ]
It’s tested OK in my latest CentOS-5.4 box.
Presuming you use bridging scripts this effectively binds ip address-es from “vif = ['ip=x.x.x.x']” list to mac addresses from vif list. Binding is done while enabling vps machine and undone when powering it off.
So this way untrusted user is limited only to the ip addresses defined in xen guest conf file, trying to change existing ip address into another one on same network will only cause that machine unresponsive.
Warning: This post is original created by Branko at his blog site. I copied his content, and updated some settings so that it can work in CentOS-5.4.
Related posts:
Thank you very much for this, I have been struggling to find a solution to this exact problem.