Virsh Netfilter: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=List= *virsh nwfilter-list <pre> setlocale: No such file or directory UUID Name --------------------------------------------…“) |
Thomas (Diskussion | Beiträge) |
||
| (6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 24: | Zeile 24: | ||
e365fce0-d793-42b7-92f6-801bf1f6b6ab qemu-announce-self-rarp | e365fce0-d793-42b7-92f6-801bf1f6b6ab qemu-announce-self-rarp | ||
</pre> | </pre> | ||
| + | |||
| + | =xinux.xml= | ||
| + | <pre> | ||
| + | <filter name='xinux' chain='ipv4'> | ||
| + | <rule action='accept' direction='in' priority='500'> | ||
| + | <tcp dstportstart='22'/> | ||
| + | </rule> | ||
| + | <rule action='accept' direction='in' priority='500'> | ||
| + | <tcp dstportstart='80'/> | ||
| + | </rule> | ||
| + | <rule action='accept' direction='out' priority='500'> | ||
| + | <icmp/> | ||
| + | </rule> | ||
| + | <rule action='accept' direction='out' priority='500'> | ||
| + | <udp dstportstart='53'/> | ||
| + | </rule> | ||
| + | <rule action='drop' direction='inout' priority='500'> | ||
| + | <all/> | ||
| + | </rule> | ||
| + | </filter> | ||
| + | </pre> | ||
| + | =Define= | ||
| + | *virsh nwfilter-define xinux.xml | ||
| + | Network filter xinux defined from xinux.xml | ||
| + | =Edit the interface Section from a Host= | ||
| + | <pre> | ||
| + | <interface type='network'> | ||
| + | ... | ||
| + | <filterref filter='xinux'/> | ||
| + | ... | ||
| + | </interface> | ||
| + | </pre> | ||
| + | =iptables -nvL= | ||
| + | <pre> | ||
| + | Chain INPUT (policy ACCEPT 3574 packets, 3864K bytes) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 13285 12M libvirt-host-in all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | |||
| + | Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 0 0 libvirt-in all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | 0 0 libvirt-out all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | 0 0 libvirt-in-post all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | |||
| + | Chain OUTPUT (policy ACCEPT 3193 packets, 373K bytes) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | |||
| + | Chain libvirt-host-in (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | |||
| + | Chain libvirt-in (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | |||
| + | Chain libvirt-in-post (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | |||
| + | Chain libvirt-out (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | root@ryzen:~# iptables -nvL | ||
| + | Chain INPUT (policy ACCEPT 115 packets, 52203 bytes) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 301 378K libvirt-host-in all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | |||
| + | Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 0 0 libvirt-in all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | 0 0 libvirt-out all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | 0 0 libvirt-in-post all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | |||
| + | Chain OUTPUT (policy ACCEPT 100 packets, 17782 bytes) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | |||
| + | Chain FI-vnet0 (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY | ||
| + | 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 ctstate ESTABLISHED ctdir REPLY | ||
| + | 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHED ctdir ORIGINAL | ||
| + | 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW,ESTABLISHED ctdir ORIGINAL | ||
| + | 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | |||
| + | Chain FO-vnet0 (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL | ||
| + | 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,ESTABLISHED ctdir ORIGINAL | ||
| + | 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED ctdir REPLY | ||
| + | 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 ctstate ESTABLISHED ctdir REPLY | ||
| + | 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | |||
| + | Chain HI-vnet0 (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY | ||
| + | 0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 ctstate ESTABLISHED ctdir REPLY | ||
| + | 0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHED ctdir ORIGINAL | ||
| + | 0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW,ESTABLISHED ctdir ORIGINAL | ||
| + | 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 | ||
| + | |||
| + | Chain libvirt-host-in (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 0 0 HI-vnet0 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 | ||
| + | |||
| + | Chain libvirt-in (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 0 0 FI-vnet0 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 | ||
| + | |||
| + | Chain libvirt-in-post (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 | ||
| + | |||
| + | Chain libvirt-out (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 0 0 FO-vnet0 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 --physdev-is-bridged | ||
| + | </pre> | ||
| + | |||
| + | =Links= | ||
| + | *https://libvirt.org/formatnwfilter.html | ||
Aktuelle Version vom 17. Oktober 2017, 19:53 Uhr
List
- virsh nwfilter-list
setlocale: No such file or directory UUID Name ------------------------------------------------------------------ 3af26f25-7357-4fb9-83ea-07363e2554fc allow-arp 7fd44e20-45b8-49f4-9779-d88cd6159a07 allow-dhcp 9eb598dc-096d-4e10-a675-a55fe51fa1db allow-dhcp-server c42dabd6-08c2-4f7e-b0df-4e3152e6f6aa allow-incoming-ipv4 e94fc948-5c47-44b5-aba7-be23a0494377 allow-ipv4 b11a440a-9008-4c52-9af8-7bde6e4531a4 clean-traffic 3ea57df0-dc27-4f51-a18d-806ebf962d70 no-arp-ip-spoofing 1824b813-d13d-4d36-9a85-b5bf28896382 no-arp-mac-spoofing 4757f553-a221-4040-ab9a-d6cf32123103 no-arp-spoofing e8143908-9b86-4066-9b22-4821a11b6106 no-ip-multicast 24f37081-67e9-4006-8267-63c3f4d7443f no-ip-spoofing a804644c-5cd2-448f-8196-4e1b12ce0836 no-mac-broadcast 8fbe4a42-13a7-4914-8459-c43ee1227bfe no-mac-spoofing 5a670d8e-2ed1-4339-8fdd-4345335ddc1b no-other-l2-traffic daaf7518-13a8-4540-aada-5681ad440e71 no-other-rarp-traffic d217f2d7-5a04-0e01-8b98-ec2743436b74 no-spamming cb236f9e-e024-4e82-b167-8d0d5ab7529b qemu-announce-self e365fce0-d793-42b7-92f6-801bf1f6b6ab qemu-announce-self-rarp
xinux.xml
<filter name='xinux' chain='ipv4'>
<rule action='accept' direction='in' priority='500'>
<tcp dstportstart='22'/>
</rule>
<rule action='accept' direction='in' priority='500'>
<tcp dstportstart='80'/>
</rule>
<rule action='accept' direction='out' priority='500'>
<icmp/>
</rule>
<rule action='accept' direction='out' priority='500'>
<udp dstportstart='53'/>
</rule>
<rule action='drop' direction='inout' priority='500'>
<all/>
</rule>
</filter>
Define
- virsh nwfilter-define xinux.xml
Network filter xinux defined from xinux.xml
Edit the interface Section from a Host
<interface type='network'> ... <filterref filter='xinux'/> ... </interface>
iptables -nvL
Chain INPUT (policy ACCEPT 3574 packets, 3864K bytes)
pkts bytes target prot opt in out source destination
13285 12M libvirt-host-in all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 libvirt-in all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 libvirt-out all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 libvirt-in-post all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3193 packets, 373K bytes)
pkts bytes target prot opt in out source destination
Chain libvirt-host-in (1 references)
pkts bytes target prot opt in out source destination
Chain libvirt-in (1 references)
pkts bytes target prot opt in out source destination
Chain libvirt-in-post (1 references)
pkts bytes target prot opt in out source destination
Chain libvirt-out (1 references)
pkts bytes target prot opt in out source destination
root@ryzen:~# iptables -nvL
Chain INPUT (policy ACCEPT 115 packets, 52203 bytes)
pkts bytes target prot opt in out source destination
301 378K libvirt-host-in all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 libvirt-in all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 libvirt-out all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 libvirt-in-post all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 100 packets, 17782 bytes)
pkts bytes target prot opt in out source destination
Chain FI-vnet0 (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 ctstate ESTABLISHED ctdir REPLY
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FO-vnet0 (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED ctdir REPLY
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 ctstate ESTABLISHED ctdir REPLY
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain HI-vnet0 (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 ctstate ESTABLISHED ctdir REPLY
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 ctstate ESTABLISHED ctdir REPLY
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW,ESTABLISHED ctdir ORIGINAL
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain libvirt-host-in (1 references)
pkts bytes target prot opt in out source destination
0 0 HI-vnet0 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
Chain libvirt-in (1 references)
pkts bytes target prot opt in out source destination
0 0 FI-vnet0 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
Chain libvirt-in-post (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0
Chain libvirt-out (1 references)
pkts bytes target prot opt in out source destination
0 0 FO-vnet0 all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 --physdev-is-bridged