XEN Netzwerk für Firewall
Aus Neobiker's Wiki
[Bearbeiten] 1 Überblick
Ich habe die Endian Firewall unter XEN in zwei sehr verschiedenen XEN-Umgebungen laufen:
- Debian Etch Server mit original (!) XEN 3.0.3
- OpenSuSE 10.1 auf Notebook mit WLAN (ndiswrapper) und Routing/Masquerading (wlan0)
Das Netzwerksetup ist wie folgt:
Internet
|
xenbr1
|
RED (e.g. 10.0.1.1/24)
+---------+
| EFW 2.0 |ORANGE--------xenbr2----DMZ1 (10.0.2.x/24)
+---------+(10.0.2.1/24) |
GREEN +-----DMZ2
| (e.g. 10.0.0.1/24)
|
xenbr0------DomU1
| |
| +------DomU2
|
+---------+
| Dom0 |(e.g. 10.0.0.x/24)
+---------+
[Bearbeiten] 2 Debian Etch Server
Folgendes XEN-Netzwerk Script verwende ich auf einem Debian Etch Server bis XEN 3.1 (nicht mit XEN 3.2! -> siehe unten):
xen0:/etc/xen/scripts# cat network-myconfig #!/bin/sh dir=$(dirname "$0") # setup XEN network for firewall gateway with 3 zones (Inet, DMZ, LAN) # reddev = RED network device (Internet/DSL) # dmzdev = DMZ network device (ORANGE), "xen" for DomU # wapdev = WAP network device (BLUE) "$dir/network-fw" "$@" reddev=eth1 dmzdev=xen
xen0:/etc/xen/scripts# cat network-fw
#!/bin/sh
#============================================================================
# Xen network start/stop script.
# Xend calls a network script when it starts.
# The script name to use is defined in /etc/xen/xend-config.sxp
# in the network-script field.
#
# ---------------------------------------------------------------------------
# Creates a XEN network with up to 4 bridges for a firewall gateway in a domU
# like IPCop / Shorewall / Endian Firewall with GREEN, RED, BLUE and ORANGE net.
# ---------------------------------------------------------------------------
#
# Usage: network-fw (start|stop|status) {VAR=VAL}*
#
# Vars (all optional):
#
# bridge[0-3] The bridges to use (default xenbr[0-3]).
# 0 = GREEN, 1 = RED, 2 = ORANGE, 3 = BLUE
# netdev The network device of dom0 (default from defaultroute)
# vifnum Virtual device number to use in dom0 (default 0). Numbers >=8
# require the netback driver to have nloopbacks set to a
# higher value than its default of 8.
# reddev device for RED Network (INTERNET), if any
# dmzdev device (use "xen" for DomU) for ORANGE Network (DMZ), if any
# wapdev device for BLUE network (Wireless Access Point), if any
#
# start:
# Create the bridges and device/interface connections
#
# stop:
# Removes any devices/interfaces from the bridges.
# Delete bridges.
#
# status:
# Print addresses, interfaces, routes
#
# version = 1.1
# Author: neobiker
# based on original XEN 3.0.3 network-scripts
#============================================================================
dir=$(dirname "$0")
. "$dir/xen-script-common.sh"
. "$dir/xen-network-common.sh"
findCommand "$@"
evalVariables "$@"
# set defaults from default-route, if not specified elsewhere
vifnum=${vifnum:-$(ip route list | awk '/^default / { print $NF }' | sed 's/^[^0-9]*//')}
vifnum=${vifnum:-0}
netdev=${netdev:-$(ip route list | awk '/^default / { print $NF }')}
netdev=${netdev:-eth${vifnum}}
antispoof=${antispoof:-no}
pdev="p${netdev}"
vdev="veth${vifnum}"
vif0="vif0.${vifnum}"
# Print ifconfig and routes.
# Usage: show_status dev bridge
show_status () {
local dev=$1
local bridge=$2
echo '============================================================'
ip addr show ${dev}
ip addr show ${bridge}
echo ' '
brctl show ${bridge}
echo ' '
ip route list
echo ' '
route -n
echo '============================================================'
}
# check if interfaces exists
# Usage: link_exists netdevice
link_exists () {
if ip link show "$1" >/dev/null 2>&1
then
return 0
else
return 1
fi
}
# check if interface is up
# Usage: check_iface_up interface
check_iface_up () {
if ! ip addr show dev "$1" >/dev/null 2>&1
then
return 0
else
return 1
fi
}
# connect network device to xen bridge
# used for RED, ORANGE and BLUE network
connect_dev_to_bridge () {
local bridge=$1
local dev=$2
if link_exists ${bridge}; then
ip link set ${bridge} up arp on
if link_exists ${dev}; then
if check_iface_up ${dev}; then
if ! ifdown ${dev}; then
ip link set ${dev} down
ip addr flush ${dev}
fi
fi
setup_bridge_port ${dev}
add_to_bridge ${bridge} ${dev}
elif [ "${dev}" != "xen" ]; then
echo "
Warning: No device ${dev} found.
" >&2
fi
else
echo "
Warning: No bridge ${bridge} found.
" >&2
fi
}
# delete xen bridge
# disconnect all interfaces from bridge
# used for RED, ORANGE and BLUE network
delete_bridge () {
local bridge=$1
if link_exists ${bridge}; then
ip link set ${bridge} down arp off || true
for vif in `brctl showstp ${bridge} | awk '/\(0\)/ { print $1 }'`; do
brctl delif ${bridge} $vif || true
done
brctl delbr ${bridge}
else
echo "
Warning: No bridge ${bridge} found.
" >&2
fi
}
# START routine for XEN Network Setup
op_start () {
# check default XEN interfaces (bridging network)
if ! link_exists "${pdev}"; then
if ! link_exists "${vdev}"; then
echo "
Link $vdev is missing.
This may be because you have reached the limit of the number of interfaces
that the loopback driver supports. If the loopback driver is a module, you
may raise this limit by passing it as a parameter (nloopbacks=<N>); if the
driver is compiled statically into the kernel, then you may set the parameter
using loopback.nloopbacks=<N> on the domain 0 kernel command line.
" >&2
exit 1
fi
fi
###
# GREEN LAN: use standard XEN-bridging for 1.card (p)eth0
#
# EFW (fwgw=10.0.0.1/24)
# |
# xenbr0------- more XEN domU's in GREEN LAN
# | |
# | +--Dom0
# |
# (p)eth0 ($netdev)
bridge=${bridge0:-xenbr0}
if ! link_exists ${bridge}; then
${dir}/network-bridge start bridge=${bridge} netdev=${netdev} vifnum=0 antispoof=${antispoof}
fi
ethtool -K ${netdev} tx off | true
###
# RED INTERFACE:
#
# EFW (eth1 with ip, 10.0.1.1/24)
# |
# xenbr1
# |
# $reddev (without ip address!)
# connect $reddev to bridge only if defined
if [ -n "${reddev}" ]; then
bridge=${bridge1:-xenbr1}
create_bridge ${bridge}
connect_dev_to_bridge ${bridge} ${reddev}
ethtool -K ${reddev} tx off | true
fi
###
# ORANGE DMZ: also setup route via firewall gateway
#
# EFW (eth2: 10.0.2.1/24)
# |
# xenbr2----- more XEN domU's in DMZ (10.0.2.x/24)
# |
# +--DMZ1 (eth0: 10.0.2.x/24)
# setup DMZ network only if defined
if [ -n "$dmzdev" ]; then
bridge=${bridge2:-xenbr2}
create_bridge ${bridge}
connect_dev_to_bridge ${bridge} ${dmzdev}
if [ "${dmzdev}" != "xen" ]; then
ethtool -K ${dmzdev} tx off | true
fi
fi
###
# BLUE WLAN (WAP=Wireless Access Point):
#
# EFW (eth3: e.g. 10.0.3.1/24)
# |
# xenbr3----- more XEN domU's in BLUE (e.g. 10.0.3.x/24)
# |
# +--WAP (eth0: e.g. 10.0.3.254/24)
# setup WAP network only if defined
if [ -n "$wapdev" ]; then
bridge=${bridge3:-xenbr3}
create_bridge ${bridge}
connect_dev_to_bridge ${bridge} ${wapdev}
ethtool -K ${wapdev} tx off | true
fi
}
# STOP routine for XEN Network Setup
op_stop () {
###
# GREEN:
bridge=${bridge0:-xenbr0}
${dir}/network-bridge stop bridge=${bridge} netdev=${netdev} vifnum=0 antispoof=${antispoof}
###
# RED INTERFACE:
bridge=${bridge1:-xenbr1}
if [ -n "${reddev}" ]; then
delete_bridge ${bridge}
fi
###
# ORANGE DMZ:
bridge=${bridge2:-xenbr2}
if [ -n "${dmzdev}" ]; then
delete_bridge ${bridge}
fi
###
# BLUE WAP:
bridge=${bridge3:-xenbr3}
if [ -n "${wapdev}" ]; then
delete_bridge ${bridge}
fi
}
case "$command" in
start)
op_start
;;
stop)
op_stop
;;
status)
show_status ${netdev} ${bridge}
;;
*)
echo "Unknown command: $command" >&2
echo 'Valid commands are: start, stop, status' >&2
exit 1
esac
Mit XEN 3.2 verwende ich unter Etch die Konfiguration mit debian Standard Methoden:
/etc/net/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
up ifconfig eth0 promisc up
# intern is the interface to the internal lan
auto xenbr0
iface xenbr0 inet static
address 192.168.1.20
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.2.255
gateway 192.168.1.21
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 127.0.0.1
dns-search zuhause.xx
bridge_ports eth0
bridge_fd 1
bridge_stp off
bridge_hello 1
post-up ethtool -K xenbr0 tx off
# eth1 -> extern
allow-hotplug eth1
iface eth1 inet static
up ifconfig eth1 0.0.0.0 promisc up
auto xenbr1
iface xenbr1 inet manual
bridge_ports eth1
bridge_fd 1
bridge_stp off
bridge_hello 1
post-up ethtool -K xenbr1 tx off
# dmz
auto xenbr2
iface xenbr2 inet manual
pre-up brctl addbr xenbr2
up ifconfig xenbr2 0.0.0.0 promisc up
bridge_fd 1
bridge_stp off
bridge_hello 1
post-up ethtool -K xenbr2 tx off
down ifconfig xenbr2 down
post-down brctl delbr xenbr2
/etc/xen/xend-config.sxp
... (network-script network-dummy) (vif-script vif-bridge) ...
