Xen on Debian with IPtables IPv4 IPv6

This will show how to setup iptables, ip6tables for Xen on Debian using iptables-persistent. Example config for HTTP, HTTPS, SSH server with IPv4 and IPv6.

Install iptables-persistent, a boot-time loader for netfilter rules, using apt-get.

apt-get install iptables-persistent

During install a dialog will show up asking for snapshotting IPv4/IPv6 rules to files and use them as default.
Chose not to store to files for a clean install.

After install, there are two configuration files:

  • /etc/iptables/rules.v4
  • /etc/iptables/rules.v6

One is for iptables rules, another for ip6tables.

Following configuration is a simple setup for IPv4 and IPv6 hosting DomU acting as webserver plus providing ssh service.
You are asking how to get such a ruleset? Well, form your custom rules for iptables (like underneath) to shell script, test it and store it to file using “iptables-save > /path/to/file” or use the dry-run parameter.

Advice: Have a backup of a working configuration ready in file and open another shell to automatically restore this configuration every minute. Don’t forget to comment custom rules.

Proper testing is needed otherwise you will lock yourself off.

Change Xen scripts

Find the iptables chains in following file /etc/xen/scripts/vif-common.sh

  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
    "$@" -j ACCEPT 2>/dev/null &&
  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
    -j ACCEPT 2>/dev/null

Change ACCEPT to DOMU-OUT and DOMU-IN (see below).

  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
    "$@" -j DOMU-OUT 2>/dev/null &&
  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
    -j DOMU-IN 2>/dev/null

These chains will be configured in iptables-persistent configuration file during the next steps.

IPv4 config

  • allow ICMP ping incoming and outgoing
  • allow NTP (client) date sync
  • allow DNS requests
  • allow SSH server on tcp/22
  • HTTP + HTTPS requests (client)
  • create chains for vif* interfaces (auto created by Xen)
    • SYN flood protection (just example)
    • HTTP + HTTPS server
    • HTTP + HTTPS requests (client)
    • SMTP outgoing
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DOMU-IN - [0:0]
:DOMU-OUT - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m physdev --physdev-out vif+ -j DOMU-IN
-A FORWARD -m physdev --physdev-in vif+ -j DOMU-OUT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A DOMU-IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A DOMU-IN -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A DOMU-IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A DOMU-IN -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A DOMU-IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A DOMU-IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A DOMU-IN -p udp -m udp --sport 123 -j ACCEPT
-A DOMU-IN -p udp -m udp --sport 53 -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 25 -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A DOMU-IN -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A DOMU-IN -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A DOMU-IN -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A DOMU-OUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A DOMU-OUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A DOMU-OUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A DOMU-OUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A DOMU-OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A DOMU-OUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A DOMU-OUT -p udp -m udp --dport 123 -j ACCEPT
-A DOMU-OUT -p udp -m udp --dport 53 -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 80 --dport 1024:65535 -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 443 --dport 1024:65535 -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT

IPv6 config

  • allow ICMPv6 ping incoming and outgoing (+router/neighbor discovery)
  • allow NTP (client) date sync
  • allow DNS requests
  • allow SSH server on tcp/22
  • HTTP + HTTPS requests (client)
  • create chains for vif* interfaces (auto created by Xen)
    • SYN flood protection (just example)
    • HTTP + HTTPS server
    • HTTP + HTTPS requests (client)
    • SMTP outgoing
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DOMU-IN - [0:0]
:DOMU-OUT - [0:0]
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m physdev --physdev-out vif+ -j DOMU-IN
-A FORWARD -m physdev --physdev-in vif+ -j DOMU-OUT
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A DOMU-IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A DOMU-IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A DOMU-IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A DOMU-IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A DOMU-IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A DOMU-IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A DOMU-IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 15/sec -j ACCEPT
-A DOMU-IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 15/sec -j ACCEPT
-A DOMU-IN -p udp -m udp --sport 123 -j ACCEPT
-A DOMU-IN -p udp -m udp --sport 53 -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 25 -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A DOMU-IN -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 128 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A DOMU-IN -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 20 --connlimit-mask 128 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A DOMU-IN -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 1024:65535 --dport 443 -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A DOMU-IN -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A DOMU-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A DOMU-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT
-A DOMU-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT
-A DOMU-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT
-A DOMU-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT
-A DOMU-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
-A DOMU-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
-A DOMU-OUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
-A DOMU-OUT -p udp -m udp --dport 123 -j ACCEPT
-A DOMU-OUT -p udp -m udp --dport 53 -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --dport 25 --sport 1024:65535 -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 80 --dport 1024:65535 -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 443 --dport 1024:65535 -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A DOMU-OUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT

Reload iptables rules

To finish the iptables setup, a reload is neccessary:

/etc/init.d/netfilter-persistent reload

Finish. Test your setup using netcat (nc), nmap (port scanner) from outside.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.