CN103595826B - A kind of method preventing virtual machine IP and MAC from forging - Google Patents
A kind of method preventing virtual machine IP and MAC from forging Download PDFInfo
- Publication number
- CN103595826B CN103595826B CN201310535410.1A CN201310535410A CN103595826B CN 103595826 B CN103595826 B CN 103595826B CN 201310535410 A CN201310535410 A CN 201310535410A CN 103595826 B CN103595826 B CN 103595826B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- rule
- mac
- packet
- child list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention relates to field of cloud calculation, refer in particular to a kind of method preventing virtual machine IP and MAC from forging.The present invention installs Ethernet bridge firewall tool ebtables in physical machine;When creating virtual machine, the network of designated virtual machine uses the mode of bridge joint, and uses the filter preventing MAC from cheating in a network interface;After virtual machine runs, host obtains the external interface of virtual machine;According to external interface, firewall tool is set up the child list preventing IP from forging accordingly;Rule is added, it is intended that any IP packet all can not pass through in child list;After configuration virtual machine IP, child list adds rule, it is intended that the only packet of the virtual machine IP of configuration just can pass through;As reset IP, add the rule that the packet of new IP just can pass through.The present invention solves virtual machine and is modified IP and MAC Address, forges host identities problem;May be used on IP and the MAC anti-counterfeiting of virtual machine.
Description
Technical field
The present invention relates to field of cloud calculation, refer in particular to a kind of method preventing virtual machine IP and MAC from forging.
Background technology
Under the main trend of cloud computing development, utilize cloud computing can create multiple stage on a station server virtual
Machine;This makes the quantity of main frame on network also be doubled and redoubled, and the network configuration of a large amount of virtual machines is to network management
Cause difficulty.The user of virtual machine forges host identities, more by the way of amendment IP and MAC Address
It is to bring huge challenge to network safety prevention.Prevent the mode one that IP and MAC Address are forged at present
As use IP address and MAC Address binding method, in the case of being unsatisfactory for binding condition;DHCP
Server does not distribute IP address.There are some drawbacks in this mode:
1, by revising the configuration file of virtual machine, the MAC Address of virtual machine also can be revised, at virtual machine
MAC Address be arranged to consistent with the MAC Address bound in the case of, this mode also can obtain IP ground
Location.
2, the user of virtual machine is after the relevant information obtaining the network planning, can not pass through DHCP service
Device obtains IP, manually arranges IP, the most unrestricted;And it is likely to result in IP address punching on network
Prominent fault, affects network security.
Summary of the invention
Present invention solves the technical problem that and be to provide a kind of method preventing virtual machine IP and MAC from forging,
The user being possible to prevent virtual machine forges host identities, to net by the way of amendment IP and MAC Address
Network security protection brings harm and challenge.
The present invention solves the technical scheme of above-mentioned technical problem:
A kind of method preventing virtual machine IP and MAC from forging, it is characterised in that:
Comprise the following steps:
Step 1, installs Ethernet bridge firewall tool ebtables in physical machine;
Step 2, when creating virtual machine, the network of designated virtual machine uses the mode of bridge joint, and connects at network
The filter preventing MAC from cheating is used in Kou;
Step 3, after virtual machine runs, obtains the external interface of virtual machine on host;
Step 4, according to external interface, sets up the child list preventing IP from forging accordingly in firewall tool;
Step 5, adds rule, it is intended that any IP packet all can not pass through in child list;Joined by this
Put, make that any IP and MAC is set at virtual machine internal the most inoperative;
Step 6, after configuration virtual machine IP, adds rule, it is intended that only configuration is virtual in child list
The packet of machine IP just can pass through;
Step 7, as reset IP, then by the redundant rule elimination of former IP in child list, adds new IP's
The rule that packet just can pass through;
Filter in described step 2 is no-mac-spoofing;
Each rule that described child list adds generates according to the network interface of virtual machine;
Described step 7 comes into force after having operated, it is not necessary to configure virtual machine network;
When closing virtual machine, according to external interface, by complete for the correlator chained list and rule thereof belonging to this interface
Portion deletes.
When migrating virtual machine, child list and rule thereof are derived and set up the most on the target node.
The method using the present invention, is possible to prevent: 1, by the amendment virtual machine configuration MAC to virtual machine
Modify in address;2, the MAC Address at virtual machine is arranged to consistent with the MAC Address bound
In the case of obtain IP address;3, after the relevant information obtaining the network planning, IP is manually set.Thus really
Protect network security.
Accompanying drawing explanation
The present invention is further described below in conjunction with the accompanying drawings:
Fig. 1 is the flow chart of the present invention;
Fig. 2 is specific embodiment of the invention flow chart.
Detailed description of the invention
As it can be seen,
Idiographic flow of the present invention is as follows:
1., the when of creating virtual machine, need virtual machine configuration libvirt.xml is repaiied accordingly
Change: owing to the network interface of usual virtual machine is fixing, therefore have only to the configuration literary composition at virtual machine
Part libvirt.xml configuration network interface card is as follows:
<interface type=" bridge ">
<filterref filter=" no-mac-spoofing "/>
<source bridge=" br0 "/>
<model type=" virtio "/>
</interface>
2., after virtual machine creating is run successfully, on host, first check the external interface of virtual machine, it is thus achieved that
(such as vnet9) after virtual machine external interface, ebtable configuration tool is i.e. can use to enter on host
The corresponding configuration of row, to reach the control to virtual machine IP.
(1) configuration virtual machine any IP packet all can not pass through (i.e. virtual machine can not arrange IP)
Configure designated virtual machine network interface any IP packet above host all can not pass through:
#ebtables-t nat-N I-vnet9-ipv4-ip//foundation prevents ip from forging son accordingly
Chain
#ebtables-t nat-A libvirt-I-vnet9-p IPv4-j I-vnet9-ipv4-ip
// subchain is placed under libvirt-I-vnet9
#ebtables-t nat-A I-vnet9-ipv4-ip-p IPv4--ip-src 0.0.0.0
--ip-proto udp-j RETURN//interpolation the 1st rule
#ebtables-t nat-A I-vnet9-ipv4-ip-j DROP//interpolation the 2nd rule
More than order has performed, and you are arranged at virtual machine internal, and any ip and mac is the most inoperative (can not be led to
Cross host and outwards forward packet).
(2) configuration virtual machine appointment IP packet just can be by (i.e. virtual machine can be set to specify IP)
If just specifying ip when of creating virtual machine, if ip is 192.168.6.200, following configuration is permitted
The packet being permitted this IP passes through:
#ebtables-t nat-N I-vnet9-ipv4-ip//foundation prevents ip from forging subchain accordingly
Table
#ebtables-t nat-A libvirt-I-vnet9-p IPv4-j I-vnet9-ipv4-ip
// subchain is placed under libvirt-I-vnet9
#ebtables-t nat-A I-vnet9-ipv4-ip-p IPv4--ip-src 0.0.0.0
--ip-proto udp-j RETURN//interpolation the 1st rule
#ebtables-t nat-A I-vnet9-ipv4-ip-p IPv4--ip-src
192.168.6.200-j RETURN
// above the 2nd rule that adds: the packet allowing ip to be 192.168.6.200 passes through
#ebtables-t nat-A I-vnet9-ipv4-ip-j DROP//interpolation the 3rd rule
3. IP is set
First the network interface of virtual machine is obtained.(for example, vnet9)
(1) if virtual machine is not provided with ip before, ip192.168.6.200 need to be set now, then holds
Row is such as issued orders:
#ebtables-t nat-I I-vnet9-ipv4-ip 2-p IPv4--ip-src
192.168.6.200-j RETURN
// this setting is to have done for virtual machine " to configure virtual machine any IP packet all can not pass through (i.e.
Virtual machine can not arrange IP) " operation after corresponding configuration: add the 2nd article to I-vnet9-ipv4-ip subchain
Rule, the 2nd rule before existed just becomes the 3rd rule.
(2) if virtual machine has had ip192.168.6.200, it is now to be re-set as
192.168.6.244, then perform as follows
#ebtables-t nat-D I-vnet9-ipv4-ip 2//deletion I-vnet9-ipv4-ip
2nd rule of subchain
#ebtables-t nat-I I-vnet9-ipv4-ip 2-p IPv4--ip-src
192.168.6.244-j RETURN//interpolation the 2nd rule
///this setting is to have done for virtual machine " to configure virtual machine appointment IP packet and just can pass through (i.e. empty
Plan machine can be set to specify IP) " operation after corresponding configuration: first delete I-vnet9-ipv4-ip the 2nd article
Rule, then increases the 2nd rule newly.
4. close virtual machine
After closing virtual machine, libvirt can delete the ebtable filtering rule of this virtual machine accordingly, institute
Need not change here.Virtual machine turns back on afterwards, it is also necessary to re-starts and carries out virtual machine accordingly
Ebtable filtering rule is arranged.
5. migrate virtual machine
If migrating virtual machine, need on target host node, also to set up corresponding ebtables rule,
It is consistent for arranging procedure of rule time this is with establishment virtual machine.
Claims (2)
1. one kind prevents the method that virtual machine IP and MAC forges, it is characterised in that:
Comprise the following steps:
Step 1, installs Ethernet bridge firewall tool ebtables in physical machine;
Step 2, when creating virtual machine, the network of designated virtual machine uses the mode of bridge joint, and connects at network
The filter preventing MAC from cheating is used in Kou;
Step 3, after virtual machine runs, obtains the external interface of virtual machine on host;
Step 4, according to external interface, sets up the child list preventing IP from forging accordingly in firewall tool;
Step 5, adds rule, it is intended that any IP packet all can not pass through in child list;Joined by this
Put, make that any IP and MAC is set at virtual machine internal the most inoperative;
Step 6, after configuration virtual machine IP, adds rule, it is intended that only configuration is virtual in child list
The packet of machine IP just can pass through;
Step 7, as reset IP, then by the redundant rule elimination of former IP in child list, adds new IP's
The rule that packet just can pass through;
Filter in described step 2 is no-mac-spoofing;
Each rule that described child list adds generates according to the network interface of virtual machine;
Described step 7 comes into force after having operated, it is not necessary to configure virtual machine network;
When closing virtual machine, according to external interface, by complete for the correlator chained list and rule thereof belonging to this interface
Portion deletes.
The method preventing virtual machine IP and MAC from forging the most according to claim 1, it is characterised in that:
When migrating virtual machine, child list and rule thereof are derived and set up the most on the target node.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310535410.1A CN103595826B (en) | 2013-11-01 | 2013-11-01 | A kind of method preventing virtual machine IP and MAC from forging |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310535410.1A CN103595826B (en) | 2013-11-01 | 2013-11-01 | A kind of method preventing virtual machine IP and MAC from forging |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103595826A CN103595826A (en) | 2014-02-19 |
CN103595826B true CN103595826B (en) | 2016-11-02 |
Family
ID=50085804
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310535410.1A Active CN103595826B (en) | 2013-11-01 | 2013-11-01 | A kind of method preventing virtual machine IP and MAC from forging |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103595826B (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104023011B (en) * | 2014-05-30 | 2017-04-26 | 国云科技股份有限公司 | Network firewall realization method suitable for virtual machine |
CN104219241A (en) * | 2014-09-04 | 2014-12-17 | 国云科技股份有限公司 | ARP (address resolution protocol) attack two-way protection method applicable to virtual machine |
TWI520002B (en) * | 2014-10-21 | 2016-02-01 | Protection Method and System of Cloud Virtual Network Security | |
CN104503927A (en) * | 2014-12-11 | 2015-04-08 | 国云科技股份有限公司 | Method for calculating virtual machine network IO (input/output) speed |
CN106559428A (en) * | 2016-11-25 | 2017-04-05 | 国云科技股份有限公司 | The method that a kind of anti-virtual machine IP and MAC is forged |
CN108268300B (en) * | 2016-12-30 | 2022-01-25 | 中移(苏州)软件技术有限公司 | Virtual machine migration method and device |
CN107634953A (en) * | 2017-09-22 | 2018-01-26 | 国云科技股份有限公司 | A kind of method for preventing capacitor network ARP from cheating |
CN110784341A (en) * | 2019-10-14 | 2020-02-11 | 国云科技股份有限公司 | Method for tracking virtual machine by service link |
CN111565176B (en) * | 2020-04-24 | 2022-04-08 | 上海沪景信息科技有限公司 | Intelligent disguising host method, system, device and readable storage medium |
CN113055228B (en) * | 2021-03-05 | 2023-07-21 | 深圳市网心科技有限公司 | Non-perception network bridging method and device based on wireless network card |
CN114785564A (en) * | 2022-04-01 | 2022-07-22 | 江苏天翼安全技术有限公司 | Universal method for preventing board jump machine based on Ethernet bridge rule |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102571698A (en) * | 2010-12-17 | 2012-07-11 | 中国移动通信集团公司 | Access authority control method, system and device for virtual machine |
CN102739645A (en) * | 2012-04-23 | 2012-10-17 | 杭州华三通信技术有限公司 | Method and device for migrating virtual machine safety policy |
CN102859934A (en) * | 2009-03-31 | 2013-01-02 | 考持·维 | System and method for access management and security protection for network accessible computer services |
-
2013
- 2013-11-01 CN CN201310535410.1A patent/CN103595826B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102859934A (en) * | 2009-03-31 | 2013-01-02 | 考持·维 | System and method for access management and security protection for network accessible computer services |
CN102571698A (en) * | 2010-12-17 | 2012-07-11 | 中国移动通信集团公司 | Access authority control method, system and device for virtual machine |
CN102739645A (en) * | 2012-04-23 | 2012-10-17 | 杭州华三通信技术有限公司 | Method and device for migrating virtual machine safety policy |
Non-Patent Citations (1)
Title |
---|
基于Linux包过滤防火墙的研究与实现;张建中;《中国优秀硕士学位论文全文数据库》;20040315(第1期);第16页第3-7行、第18页第6-9行、第35页第8-10行、图2.6 * |
Also Published As
Publication number | Publication date |
---|---|
CN103595826A (en) | 2014-02-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103595826B (en) | A kind of method preventing virtual machine IP and MAC from forging | |
CN105100109B (en) | A kind of method and device of deployment secure access control policy | |
CN103718527B (en) | Communication security processing method, apparatus and system | |
CN106487556A (en) | The dispositions method of business function SF and device | |
CN105141441B (en) | A kind of method that IP network graphically configures | |
CN106203126A (en) | A kind of validating vulnerability method and system based on simulated environment | |
CN104253820A (en) | Software defined network safety control system and control method | |
CN103036721A (en) | Traffic statistical method under cloud computing environment | |
WO2013115565A3 (en) | Method for managing virtual machine and device therefor | |
CN105929270A (en) | Fault injection method and device | |
CN110908730A (en) | Cloud platform configuration file management method and management system | |
CN105591805B (en) | A kind of method and apparatus of modification service chaining configuration | |
CN104363234B (en) | The means of defence and apparatus and system to be dialled up on the telephone based on public network IP address | |
WO2016177207A1 (en) | Method and system for isolating control plane and service plane, server and cloud computation platform | |
CN104125192A (en) | Virtual-machine safety protection system and method | |
CN103401706B (en) | A kind of method and device for configuring port security | |
CN105471651B (en) | VLAN synchronous method, local switch and distant-end switch in a kind of double layer network | |
CN103906045A (en) | Method and system for monitoring mobile terminal privacy stealing behaviors | |
CN104184143B (en) | A kind of generating set relates to net protection and the method limiting automatic Check | |
CN104135379A (en) | Port control method and device based on OpenFlow protocol | |
WO2016206359A1 (en) | Method and apparatus for establishing ptn service cutover plan | |
WO2016177071A1 (en) | Method and device for establishing service cutover plan | |
CN107977310A (en) | One kind traversal test command generation method and device | |
CN106549800A (en) | For the method and apparatus of the batch verification data interface in network system | |
CN109412856A (en) | A kind of network equipment brand indifference management method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP02 | Change in the address of a patent holder |
Address after: 523808 19th Floor, Cloud Computing Center, Chinese Academy of Sciences, No. 1 Kehui Road, Songshan Lake Hi-tech Industrial Development Zone, Dongguan City, Guangdong Province Patentee after: G-Cloud Technology Co., Ltd. Address before: 523808 No. 14 Building, Songke Garden, Songshan Lake Science and Technology Industrial Park, Dongguan City, Guangdong Province Patentee before: G-Cloud Technology Co., Ltd. |
|
CP02 | Change in the address of a patent holder |