[one-users] ip spoofing

Ionut Popovici ionut at hackaserver.com
Thu May 1 03:59:51 PDT 2014


On 5/1/2014 1:17 PM, Maxim Terletskiy wrote:
> As you wrote this is exactly we were looking for. Thank you very much, 
> Stefan! :)
>
> 01.05.2014 12:39, Stefan Kooman пишет:
>> Quoting Maxim Terletskiy (terletskiy at emu.ru):
>>> Hi!
>>>
>>> No we're using vlans with simple bridging. I've used ovswitch in
>>> past and do not remember anything about "ip hijacking" prevention in
>>> it. How can ovswitch know what ip/mac must be on vm interface? Will
>>> it be usefull if VMs living on different virtualization hosts?
>> "openvswitch" by itself doesn't do anything to prevent "mac spoofing" or
>> "ip hijacking". That's done by ONE based on OpenFlow rules. From the
>> docs [1]:
>>
>> Mac-spoofing
>>
>> These rules prevent any traffic to come out of the port the MAC address
>> has changed.
>>
>> in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
>> in_port=<PORT>,priority=39000,actions=normal
>>
>> IP hijacking
>>
>> These rules prevent any traffic to come out of the port for IPv4 IP’s
>> not configured for a VM
>>
>> in_port=<PORT>,arp,dl_src=<MAC>priority=45000,actions=drop
>> in_port=<PORT>,arp,dl_src=<MAC>,nw_src=<IP>,priority=46000,actions=normal 
>>
>>
>> See /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb as well.
>>
>> Using openvswitch gives you exactly what you asked for, without the need
>> for hacking ebtables/iptables script. In a much cleaner way IMHO.
>>
>> Gr. Stefan
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
i give in a early email who to check via iptables source mac address  
for ip ...

/sbin/iptables -A FORWARD -i ethX -m mac --mac-source  YOUR-MAC-ADDRESS-HERE -j ACCEPT

or you can expand
/sbin/iptables -A FORWARD -i ethX -m mac --mac-source  YOUR-MAC-ADDRESS-HERE -s YOUR-IP-ADDRESS HERE-j ACCEPT


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140501/394e3f31/attachment-0002.htm>


More information about the Users mailing list