Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to prevent Xen VPS users from changing IP addresses themselves". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

As a Xen VPS service provider, we assign an independent ip address to VPS. We do not want VPS users to modify the IP address at will, because this may conflict with the IP address of other users and cause administrative inconvenience, so we need to bind IP to a VPS.

There are many ways to solve this problem, such as router, firewall, operating system, Xen and so on. The two simple methods introduced here start with dom0: one is to use Xen configuration on dom0, and the other is to use iptables on dom0.

Using Xen to configure

There is an antispoof configuration option on Xen to solve this problem, but the default configuration does not enable this antispoof option, which needs to be modified:

The code is as follows:

# vi / etc/xen/xend-config.sxp

...

(network-script 'network-bridge antispoof=yes')

...

Modify the frob_iptable () function part of / etc/xen/scripts/vif-common.sh by adding the line iptables:

The code is as follows:

# vi / etc/xen/scripts/vif-common.sh

Function frob_iptable ()

{

...

Iptables-t raw "$c" PREROUTING-m physdev--physdev-in "$vif"$@"-j NOTRACK

}

After modifying the Xen configuration, you also need to modify the domU configuration to assign each domU a fixed IP and MAC address, as well as the vif name:

The code is as follows:

# vi / etc/xen/vm01

...

Vif = ["vifname=vm01,mac=00:16:3e:7c:1f:6e,ip=172.16.39.105,bridge=xenbr0"]

...

Iptables on many systems ignores the FORWARD chain on the bridge by default, so you need to modify the kernel parameters to ensure that bridge-nf-call-iptables=1, and put this modification in the antispoofing () function, so that every time Xen configures the network, the kernel parameters are automatically configured:

The code is as follows:

# vi / etc/xen/scripts/network-bridge

Antispoofing () {

Echo 1 > / proc/sys/net/bridge/bridge-nf-call-iptables

...

}

After modification, you need to shut down domU, restart iptables and xend services, and then start domU.

The code is as follows:

# xm shutdown vm01

# / etc/init.d/iptables restart

# / etc/init.d/xend restart

# xm create vm01

The above method works on Xen 3.x, and some people say that it doesn't work on Xen 4.x. The method we will introduce below bypasses the Xen configuration, directly from the iptables limitation, and should work on both Xen 3.x and Xen 4.x.

Using iptables

First of all, make sure that iptables is enabled on dom0. It is important to note that vifname, ip and mac must be added to the vif section of each domU configuration file, so that it can be clearly defined in the iptables rules:

The code is as follows:

# / etc/init.d/iptables restart

# vi / etc/xen/vm01

...

Vif = ["vifname=vm01,mac=00:16:3e:7c:1f:6e,ip=172.16.39.105,bridge=xenbr0"]

...

# vi / etc/iptables-rules

* filter

: INPUT accept [0:0]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [0:0]

# The antispoofing rules for domUs

-A FORWARD-m state-- state RELATED,ESTABLISHED-m physdev--physdev-out vm01-j ACCEPT

-A FORWARD-p udp-m physdev--physdev-in vm01-m udp-- sport 68-- dport 67-j ACCEPT

-A FORWARD-s 172.16.39.105 physdev- 32-m physdev--physdev-in vm01-j ACCEPT

-A FORWARD-d 172.16.39.105 physdev- 32-m physdev--physdev-out vm01-j ACCEPT

# If the IP address is not allowed on that vif, log and drop it.

-A FORWARD-m limit-- limit 15/min-j LOG-- log-prefix "Dropped by firewall:"-- log-level 7

-A FORWARD-j DROP

# The access rules for dom0

-An INPUT-j ACCEPT

COMMIT

# iptables-restore

/ proc/sys/net/bridge/bridge-nf-call-iptables

This is the end of the content of "how to prevent Xen VPS users from changing their IP addresses". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.