Home > Others

Libvirt Network Filtering rules: Prohibit client (bridge mode) connection to Extranet

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

The first is the libvirt that defines the network filtering rules:

Virsh Nwfilter-define

Add an XML file followed by defining or updating a network filtering rule from an XML file.

Virsh Nwfilter-dumpxml

Follow the name of a network filter rule to view the XML details for a network rule.

Virsh Nwfilter-edit

Add the name of a network filter rule, and edit a network rule.

Virsh nwfilter-list

Lists all network filtering rules that define success.

Virsh Nwfilter-undefine

After adding a name for the network filter rule, the network filtering rule should be eliminated.


Note: Defining a network filtering rule can ignore the state of the client and can take effect in time, even if the client is active.


Block XML file content when clients are using extranet: 
<filter name= ' no-ip-inout ' chain= ' IPv4 ' >    <uuid>fce8ae34-e69e-83bf-262e-30786c1f8072</uuid>    <rule action= ' accept ' direction= ' out ' priority= ' ' >        <ip srcipaddr= ' 192.168.x.0 ' dstipaddr= ' 255.255.255.255 ' protocol= ' udp ' srcportstart= ' ' srcportend= ' "dstportstart= '" dstportend= ' "/>    </ rule>    <rule action= ' accept ' direction= ' in ' priority= ' + ' >        <ip protocol= ' UDP ' srcportstart= ' 67 ' Srcportend= ' dstportstart= ' dstportend= '/>    </rule> <rule action= '    drop ' direction= ' Out ' priority= ' >        <ip match= ' no ' dstipaddr= ' 192.168.x.0 ' dstipmask= ' 255.255.255.0 '/>    </rule ></filter>

Drop.xml

XML file content that allows clients to use the extranet:

<filter name= ' no-ip-inout ' chain= ' IPv4 ' >    <uuid>fce8ae34-e69e-83bf-262e-30786c1f8072</uuid>    <rule action= ' accept ' direction= ' out ' priority= ' >    </rule></filter>

Accept.xml

Linux and DHCP UDP-related ports are ports 67 and 68th, which define a rule with a priority of 100: Allows the source address to accept DHCP and UDP information, and can send UDP information, the destination address is the same. Define a rule with a priority of 200: Discards all packets sent to the network management. The priority can be obtained by obtaining the required information (such as the acquisition of a DHCP network) and restricting the virtual machine to surf the net, discarding packets sent out.

When the client is prevented from using the extranet:

Virsh Nwfilter-define Drop.xml

When enabling the client to use the extranet:

Virsh Nwfilter-define Accept.xml

When you want to cancel this network filtering rule:

Virsh Nwfilter-undefine No-ip-inout



Libvirt Network Filtering rules: Prohibit client (bridge mode) connection to Extranet

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
arris bridge mode linksys router bridge mode libvirt 4g modem bridge mode linksys bridge mode netgear bridge mode xfinity router bridge mode

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More