[one-users] ip spoofing
Ionut Popovici
ionut at hackaserver.com
Thu May 1 04:00:03 PDT 2014
On 5/1/2014 1:17 PM, Maxim Terletskiy wrote:
> As you wrote this is exactly we were looking for. Thank you very much,
> Stefan! :)
>
> 01.05.2014 12:39, Stefan Kooman пишет:
>> Quoting Maxim Terletskiy (terletskiy at emu.ru):
>>> Hi!
>>>
>>> No we're using vlans with simple bridging. I've used ovswitch in
>>> past and do not remember anything about "ip hijacking" prevention in
>>> it. How can ovswitch know what ip/mac must be on vm interface? Will
>>> it be usefull if VMs living on different virtualization hosts?
>> "openvswitch" by itself doesn't do anything to prevent "mac spoofing" or
>> "ip hijacking". That's done by ONE based on OpenFlow rules. From the
>> docs [1]:
>>
>> Mac-spoofing
>>
>> These rules prevent any traffic to come out of the port the MAC address
>> has changed.
>>
>> in_port=<PORT>,dl_src=<MAC>,priority=40000,actions=normal
>> in_port=<PORT>,priority=39000,actions=normal
>>
>> IP hijacking
>>
>> These rules prevent any traffic to come out of the port for IPv4 IP’s
>> not configured for a VM
>>
>> in_port=<PORT>,arp,dl_src=<MAC>priority=45000,actions=drop
>> in_port=<PORT>,arp,dl_src=<MAC>,nw_src=<IP>,priority=46000,actions=normal
>>
>>
>> See /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb as well.
>>
>> Using openvswitch gives you exactly what you asked for, without the need
>> for hacking ebtables/iptables script. In a much cleaner way IMHO.
>>
>> Gr. Stefan
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
i give in a early email who to check via iptables source mac address
for ip ...
/sbin/iptables -A FORWARD -i ethX -m mac --mac-source YOUR-MAC-ADDRESS-HERE -j ACCEPT
or you can expand
/sbin/iptables -A FORWARD -i ethX -m mac --mac-source YOUR-MAC-ADDRESS-HERE -s YOUR-IP-ADDRESS HERE-j ACCEPT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20140501/b2f1e03f/attachment-0002.htm>
More information about the Users
mailing list