Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to prevent VPS users under the Linux system from changing their IP addresses". The explanation in the article is simple and clear and easy to learn and understand. please follow the editor's ideas to study and learn "how to prevent VPS users under the Linux system from changing IP addresses".

There are many ways to solve this problem, such as router, firewall, operating system, Xen and so on. The two simple methods introduced here start with dom0: one is to use Xen configuration on dom0, and the other is to use iptables on dom0.

Using Xen to configure

There is an antispoof configuration option on Xen to solve this problem, but the default configuration does not enable this antispoof option, which needs to be modified:

The code is as follows:

# vi / etc/xen/xend-config.sxp

...

(network-script 'network-bridge antispoof=yes')

...

Modify the frob_iptable () function part of / etc/xen/scripts/vif-common.sh by adding the line iptables:

The code is as follows:

# vi / etc/xen/scripts/vif-common.sh

Function frob_iptable ()

{

...

Iptables-t raw "$c" PREROUTING-m physdev--physdev-in "$vif"$@"-j NOTRACK

}

After modifying the Xen configuration, you also need to modify the domU configuration to assign each domU a fixed IP and MAC address, as well as the vif name:

The code is as follows:

# vi / etc/xen/vm01

...

Vif = ["vifname=vm01,mac=00:16:3e:7c:1f:6e,ip=172.16.39.105,bridge=xenbr0"]

...

Iptables on many systems ignores the FORWARD chain on the bridge by default, so you need to modify the kernel parameters to ensure that bridge-nf-call-iptables=1, and put this modification in the antispoofing () function, so that every time Xen configures the network, the kernel parameters are automatically configured:

The code is as follows:

# vi / etc/xen/scripts/network-bridge

Antispoofing () {

Echo 1 > / proc/sys/net/bridge/bridge-nf-call-iptables

...

}

After modification, you need to shut down domU, restart iptables and xend services, and then start domU.

The code is as follows:

# xm shutdown vm01

# / etc/init.d/iptables restart

# / etc/init.d/xend restart

# xm create vm01

The above method works on Xen 3.x, and some people say that it doesn't work on Xen 4.x. The method we will introduce below bypasses the Xen configuration, directly from the iptables limitation, and should work on both Xen 3.x and Xen 4.x.

Using iptables

First of all, make sure that iptables is enabled on dom0. It is important to note that vifname, ip and mac must be added to the vif section of each domU configuration file, so that it can be clearly defined in the iptables rules:

The code is as follows:

# / etc/init.d/iptables restart

# vi / etc/xen/vm01

...

Vif = ["vifname=vm01,mac=00:16:3e:7c:1f:6e,ip=172.16.39.105,bridge=xenbr0"]

...

# vi / etc/iptables-rules

* filter

: INPUT ACCEPT [0:0]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [0:0]

# The antispoofing rules for domUs

-A FORWARD-m state-- state RELATED,ESTABLISHED-m physdev--physdev-out vm01-j ACCEPT

-A FORWARD-p udp-m physdev--physdev-in vm01-m udp-- sport 68-- dport 67-j ACCEPT

-A FORWARD-s 172.16.39.105 physdev- 32-m physdev--physdev-in vm01-j ACCEPT

-A FORWARD-d 172.16.39.105 physdev- 32-m physdev--physdev-out vm01-j ACCEPT

# If the IP address is not allowed on that vif, log and drop it.

-A FORWARD-m limit-- limit 15/min-j LOG-- log-prefix "Dropped by firewall:"-- log-level 7

-A FORWARD-j DROP

# The access rules for dom0

-An INPUT-j ACCEPT

COMMIT

# iptables-restore

/ proc/sys/net/bridge/bridge-nf-call-iptables

Thank you for your reading, the above is the content of "how to prevent VPS users under the Linux system from changing IP addresses". After the study of this article, I believe you have a deeper understanding of how to prevent VPS users under the Linux system from changing IP addresses, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.