CN103595826A - Method for preventing IP and MAC of virtual machine from being faked - Google Patents
Method for preventing IP and MAC of virtual machine from being faked Download PDFInfo
- Publication number
- CN103595826A CN103595826A CN201310535410.1A CN201310535410A CN103595826A CN 103595826 A CN103595826 A CN 103595826A CN 201310535410 A CN201310535410 A CN 201310535410A CN 103595826 A CN103595826 A CN 103595826A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- mac
- rule
- prevents
- child list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention relates to the field of cloud computing, in particular to a method for preventing an IP and an MAC of a virtual machine from being faked. According to the method, an ether network bridge firewall tool ebtables is installed on a physical machine; a bridging mode is adopted to a network of the appointed virtual machine when the virtual machine is built, and a filter for preventing MAC faking is used in a network interface; after the virtual machine is operated, a peripheral interface of the virtual machine is obtained on a host machine; according to the peripheral interface, a corresponding sub-chain list for preventing IP faking is built on the firewall tool; rules are additionally set in the sub-chain list, and it is appointed that any IP data package can be unacceptable; after the IP of the virtual machine is configured, a rule is additionally set in the sub-chain list, and it is appointed that only a configured IP data package of the virtual machine is acceptable; if the IP is reset, the rule that only a new IP data package can be acceptable is additionally set. According to the method, the problem that an IP address and an MAC address of the virtual machine are modified to fake a main machine identity is solved. The method can be used for faking prevention on the IP and the MAC of the virtual machine.
Description
Technical field
The present invention relates to cloud computing field, refer in particular to a kind of method that prevents that virtual machine IP and MAC from forging.
Background technology
Under the main trend of cloud computing development, utilize cloud computing can on a station server, create many virtual machines; This is also doubled and redoubled the quantity of main frame on network, and the network configuration of a large amount of virtual machines causes difficulty to network management.The user of virtual machine forges host identities by revising the mode of IP and MAC Address, has brought huge challenge especially to network safety prevention.Prevent that at present mode that IP and MAC Address are forged from generally adopting the method for IP address and MAC Address binding, in the situation that not meeting binding condition; Dynamic Host Configuration Protocol server is distributing IP address not.There are some drawbacks in this mode:
1, by revising the configuration file of virtual machine, the MAC Address of virtual machine also can be revised, in the situation that the MAC Address of virtual machine is arranged to is consistent with the MAC Address of having bound, this mode also can be obtained IP address.
2, the user of virtual machine, after obtaining the relevant information of the network planning, can not obtain IP by Dynamic Host Configuration Protocol server, and IP is manually set, at this time unrestricted yet; And the fault that may cause IP address conflict on network, affects network security.
Summary of the invention
The technical problem that the present invention solves is to provide a kind of method that prevents that virtual machine IP and MAC from forging, and can prevent that the user of virtual machine from forging host identities by revising the mode of IP and MAC Address, to network safety prevention, brings harm and challenge.
The technical scheme that the present invention solves the problems of the technologies described above is:
Prevent the method that virtual machine IP and MAC forge, it is characterized in that:
Comprise the following steps:
Step 1 is installed Ethernet bridge firewall tool ebtables in physical machine;
Step 2, the mode of the network using bridge joint of designated virtual machine while creating virtual machine, and in network interface, use the filter that prevents MAC deception;
Step 3 after virtual machine operation, is obtained the external interface of virtual machine on host;
Step 4 according to external interface, is set up the child list that the corresponding IP of preventing forges in firewall tool;
Step 5 is added rule in child list, specifies any IP packet all can not pass through; By this configuration, make, in virtual machine inside, any IP is set and MAC is inoperative;
Step 6 after configuring virtual machine IP, is added rule in child list, specifies the packet of the virtual machine IP that only has configuration just can pass through:
Step 7, as reset IP, in child list by the redundant rule elimination of former IP, add the rule that the packet of new IP just can pass through.
Filter in described step 2 is no-mac-spoofing.
Each rule that described child list adds generates according to the network interface of virtual machine.
Described step 7 comes into force after having operated, without virtual machine network is configured.
While closing virtual machine, according to external interface, the correlator chained list and the rule thereof that belong to this interface are all deleted.
During migration virtual machine, child list and rule thereof are derived and again on destination node, set up.
Adopt method of the present invention, can prevent: 1, by revising virtual machine configuration, the MAC Address of virtual machine is modified; 2, in the situation that the MAC Address of virtual machine is arranged to the address with the consistent IP of obtaining of the MAC Address of having bound; 3, after obtaining the relevant information of the network planning, IP is manually set.Thereby guarantee network security.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the present invention is further described:
Fig. 1 is flow chart of the present invention;
Fig. 2 is specific embodiment of the invention flow chart.
Embodiment
As shown in the figure,
Idiographic flow of the present invention is as follows:
1., when creating virtual machine, need to carry out corresponding modify to virtual machine configuration libvirt.xml: because the network interface of common virtual machine is fixed, therefore only need to be as follows at the configuration file libvirt.xml of virtual machine configuration network interface card:
<interface?type=”bridge”>
<filterref?filter=“no-mac-spoofing”/>
<source?bridge="br0"/>
<model?type="virtio"/>
</interface>
2. after virtual machine creating is moved successfully, first on host, check the external interface of virtual machine, after acquisition virtual machine external interface (as vnet9), i.e. available ebtable configuration tool configures accordingly on host, to reach the control to virtual machine IP.
(1) any IP packet of configuring virtual machine all can not configure any IP packet of designated virtual machine network interface by (being that virtual machine can not arrange IP) and all can not pass through above host:
#ebtables-t nat-N I-vnet9-ipv4-ip//set up the corresponding ip of preventing to forge subchain
#ebtables-t nat-A libvirt-I-vnet9-p IPv4-j I-vnet9-ipv4-ip//subchain is placed under libvirt-I-vnet9
#ebtables-t nat-A I-vnet9-ipv4-ip-p IPv4--ip-src0.0.0.0--ip-proto udp-j RETURN//add the 1st rule
#ebtables-t nat-A I-vnet9-ipv4-ip-j DROP//add the 2nd rule
Above command execution is complete, and you arrange any ip and mac also inoperative (can not pass through the outside forwarding data bag of host) in virtual machine inside.
(2) configuring virtual machine assigned ip packet just can be by (being that virtual machine can be arranged to assigned ip)
If just specify ip when creating virtual machine, if ip is 192.168.6.200, following configuration allows the packet of this IP to pass through:
#ebtables-t nat-N I-vnet9-ipv4-ip//set up the corresponding ip of preventing to forge child list
#ebtables-t nat-A libvirt-I-vnet9-p IPv4-j I-vnet9-ipv4-ip//subchain is placed under libvirt-I-vnet9
#ebtables-t nat-A I-vnet9-ipv4-ip-p IPv4--ip-src0.0.0.0--ip-proto udp-j RETURN//add the 1st rule
#ebtables-t?nat-A?I-vnet9-ipv4-ip-p?IPv4--ip-src192.168.6.200-j?RETURN
// add above the 2nd rule: allow the packet that ip is 192.168.6.200 to pass through
3ebtables-t nat-A I-vnet9-ipv4-ip-j DROP//add the 3rd rule
3. IP is set
First obtain the network interface of virtual machine.(being for example vnet9)
(1) if virtual machine does not arrange ip before, now ip192.168.6.200 need be set, carry out so as issued orders:
#ebtables-t?nat-I?I-vnet9-ipv4-ip2-p?IPv4--ip-src192.168.6.200-j?RETURN
// this setting is to have done the operation after " any IP packet of configuring virtual machine all can not by (being that virtual machine can not arrange IP) " corresponding configuration for virtual machine: to I-vnet9-ipv4-ip subchain, add the 2nd rule, the 2nd rule before existing just becomes the 3rd rule.
(2) if virtual machine has had ip192.168.6.200, to be re-set as 192.168.6.244 now, carry out so as follows
The 2nd rule of #ebtables-t nat-D I-vnet9-ipv4-ip2//deletion I-vnet9-ipv4-ip subchain
3ebtables-t nat-I I-vnet9-ipv4-ip2-p IPv4--ip-src192.168.6.244-j RETURN//add the 2nd rule
///this setting is to have done the operation after " configuring virtual machine assigned ip packet just can by (being that virtual machine can be arranged to assigned ip) " corresponding configuration for virtual machine: first delete the 2nd rule of I-vnet9-ipv4-ip, then newly-increased the 2nd rule.
4. close virtual machine
Close after virtual machine, libvirt can delete the ebtable filtering rule of this virtual machine accordingly, so need not change here.Virtual machine is started shooting again afterwards, also must re-start virtual machine is carried out to the setting of corresponding ebtable filtering rule.
5. move virtual machine
Migration virtual machine need to also will be set up corresponding ebtables rule on target host node, and this arranges procedure of rule with establishment virtual machine time is consistent.
Claims (10)
1. prevent the method that virtual machine IP and MAC forge, it is characterized in that:
Comprise the following steps:
Step 1 is installed Ethernet bridge firewall tool ebtables in physical machine;
Step 2, the mode of the network using bridge joint of designated virtual machine while creating virtual machine, and in network interface, use the filter that prevents MAC deception;
Step 3 after virtual machine operation, is obtained the external interface of virtual machine on host;
Step 4 according to external interface, is set up the child list that the corresponding IP of preventing forges in firewall tool;
Step 5 is added rule in child list, specifies any IP packet all can not pass through; By this configuration, make, in virtual machine inside, any IP is set and MAC is inoperative;
Step 6 after configuring virtual machine IP, is added rule in child list, specifies the packet of the virtual machine IP that only has configuration just can pass through;
Step 7, as reset IP, in child list by the redundant rule elimination of former IP, add the rule that the packet of new IP just can pass through.
2. the method that prevents that virtual machine IP and MAC from forging according to claim 1, is characterized in that: the filter in described step 2 is no-mac-spoofing.
3. the method that prevents that virtual machine IP and MAC from forging according to claim 1, is characterized in that: each rule that described child list adds generates according to the network interface of virtual machine.
4. the method that prevents that virtual machine IP and MAC from forging according to claim 2, is characterized in that: each rule that described child list adds generates according to the network interface of virtual machine.
5. according to the method that virtual machine IP and MAC forge that prevents described in claim 1 to 4 any one, it is characterized in that: after described step 7 has operated, come into force, without virtual machine network is configured.
6. according to the method that virtual machine IP and MAC forge that prevents described in claim 1 to 4 any one, it is characterized in that: while closing virtual machine, according to external interface, the correlator chained list and the rule thereof that belong to this interface are all deleted.
7. the method that prevents that virtual machine IP and MAC from forging according to claim 5, is characterized in that: while closing virtual machine, according to external interface, the correlator chained list and the rule thereof that belong to this interface are all deleted.
8. according to the method that virtual machine IP and MAC forge that prevents described in claim 1 to 4 any one, it is characterized in that: during migration virtual machine, child list and rule thereof are derived and again on destination node, set up.
9. the method that prevents that virtual machine IP and MAC from forging according to claim 5, is characterized in that: during migration virtual machine, child list and rule thereof are derived and again on destination node, set up.
10. the method that prevents that virtual machine IP and MAC from forging according to claim 6, is characterized in that: during migration virtual machine, child list and rule thereof are derived and again on destination node, set up.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310535410.1A CN103595826B (en) | 2013-11-01 | 2013-11-01 | A kind of method preventing virtual machine IP and MAC from forging |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310535410.1A CN103595826B (en) | 2013-11-01 | 2013-11-01 | A kind of method preventing virtual machine IP and MAC from forging |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103595826A true CN103595826A (en) | 2014-02-19 |
CN103595826B CN103595826B (en) | 2016-11-02 |
Family
ID=50085804
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310535410.1A Active CN103595826B (en) | 2013-11-01 | 2013-11-01 | A kind of method preventing virtual machine IP and MAC from forging |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103595826B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104023011A (en) * | 2014-05-30 | 2014-09-03 | 国云科技股份有限公司 | Network firewall realization method suitable for virtual machine |
CN104219241A (en) * | 2014-09-04 | 2014-12-17 | 国云科技股份有限公司 | ARP (address resolution protocol) attack two-way protection method applicable to virtual machine |
CN104503927A (en) * | 2014-12-11 | 2015-04-08 | 国云科技股份有限公司 | Method for calculating virtual machine network IO (input/output) speed |
CN104717212A (en) * | 2014-10-21 | 2015-06-17 | 中华电信股份有限公司 | Protection method and system for cloud virtual network security |
CN106559428A (en) * | 2016-11-25 | 2017-04-05 | 国云科技股份有限公司 | The method that a kind of anti-virtual machine IP and MAC is forged |
CN107634953A (en) * | 2017-09-22 | 2018-01-26 | 国云科技股份有限公司 | A kind of method for preventing capacitor network ARP from cheating |
CN108268300A (en) * | 2016-12-30 | 2018-07-10 | 中移(苏州)软件技术有限公司 | The moving method and device of a kind of virtual machine |
CN110784341A (en) * | 2019-10-14 | 2020-02-11 | 国云科技股份有限公司 | Method for tracking virtual machine by service link |
CN111565176A (en) * | 2020-04-24 | 2020-08-21 | 上海沪景信息科技有限公司 | Intelligent disguising host method, system, device and readable storage medium |
CN113055228A (en) * | 2021-03-05 | 2021-06-29 | 深圳市网心科技有限公司 | Non-sensing network bridging method and device based on wireless network card |
CN114785564A (en) * | 2022-04-01 | 2022-07-22 | 江苏天翼安全技术有限公司 | Universal method for preventing board jump machine based on Ethernet bridge rule |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102571698A (en) * | 2010-12-17 | 2012-07-11 | 中国移动通信集团公司 | Access authority control method, system and device for virtual machine |
CN102739645A (en) * | 2012-04-23 | 2012-10-17 | 杭州华三通信技术有限公司 | Method and device for migrating virtual machine safety policy |
CN102859934A (en) * | 2009-03-31 | 2013-01-02 | 考持·维 | System and method for access management and security protection for network accessible computer services |
-
2013
- 2013-11-01 CN CN201310535410.1A patent/CN103595826B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102859934A (en) * | 2009-03-31 | 2013-01-02 | 考持·维 | System and method for access management and security protection for network accessible computer services |
CN102571698A (en) * | 2010-12-17 | 2012-07-11 | 中国移动通信集团公司 | Access authority control method, system and device for virtual machine |
CN102739645A (en) * | 2012-04-23 | 2012-10-17 | 杭州华三通信技术有限公司 | Method and device for migrating virtual machine safety policy |
Non-Patent Citations (1)
Title |
---|
张建中: "基于Linux包过滤防火墙的研究与实现", 《中国优秀硕士学位论文全文数据库》, no. 1, 15 March 2004 (2004-03-15) * |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104023011B (en) * | 2014-05-30 | 2017-04-26 | 国云科技股份有限公司 | Network firewall realization method suitable for virtual machine |
CN104023011A (en) * | 2014-05-30 | 2014-09-03 | 国云科技股份有限公司 | Network firewall realization method suitable for virtual machine |
CN104219241A (en) * | 2014-09-04 | 2014-12-17 | 国云科技股份有限公司 | ARP (address resolution protocol) attack two-way protection method applicable to virtual machine |
CN104717212A (en) * | 2014-10-21 | 2015-06-17 | 中华电信股份有限公司 | Protection method and system for cloud virtual network security |
CN104717212B (en) * | 2014-10-21 | 2018-05-11 | 中华电信股份有限公司 | Protection method and system for cloud virtual network security |
CN104503927A (en) * | 2014-12-11 | 2015-04-08 | 国云科技股份有限公司 | Method for calculating virtual machine network IO (input/output) speed |
CN106559428A (en) * | 2016-11-25 | 2017-04-05 | 国云科技股份有限公司 | The method that a kind of anti-virtual machine IP and MAC is forged |
CN108268300B (en) * | 2016-12-30 | 2022-01-25 | 中移(苏州)软件技术有限公司 | Virtual machine migration method and device |
CN108268300A (en) * | 2016-12-30 | 2018-07-10 | 中移(苏州)软件技术有限公司 | The moving method and device of a kind of virtual machine |
CN107634953A (en) * | 2017-09-22 | 2018-01-26 | 国云科技股份有限公司 | A kind of method for preventing capacitor network ARP from cheating |
CN110784341A (en) * | 2019-10-14 | 2020-02-11 | 国云科技股份有限公司 | Method for tracking virtual machine by service link |
CN111565176A (en) * | 2020-04-24 | 2020-08-21 | 上海沪景信息科技有限公司 | Intelligent disguising host method, system, device and readable storage medium |
CN111565176B (en) * | 2020-04-24 | 2022-04-08 | 上海沪景信息科技有限公司 | Intelligent disguising host method, system, device and readable storage medium |
CN113055228A (en) * | 2021-03-05 | 2021-06-29 | 深圳市网心科技有限公司 | Non-sensing network bridging method and device based on wireless network card |
CN114785564A (en) * | 2022-04-01 | 2022-07-22 | 江苏天翼安全技术有限公司 | Universal method for preventing board jump machine based on Ethernet bridge rule |
Also Published As
Publication number | Publication date |
---|---|
CN103595826B (en) | 2016-11-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103595826A (en) | Method for preventing IP and MAC of virtual machine from being faked | |
US11570148B2 (en) | Method and apparatus for deploying security access control policy | |
EP3373518B1 (en) | Service configuration method and device for network service | |
CN104753697B (en) | A kind of method, equipment and system controlling the automatic beginning of the network equipment | |
RU2018117280A (en) | SOFTWARE-DEFINED AUTOMATED SYSTEM AND ARCHITECTURE | |
CN107276798B (en) | Method and device for realizing virtualized network service function chain | |
CN108829384A (en) | Management method, device, computer equipment and the storage medium of container | |
CN111880901B (en) | Network configuration method, device, equipment and readable storage medium | |
CN109284140B (en) | Configuration method and related equipment | |
CN105337831B (en) | The implementation method and client device of Virtual Private Network | |
US10050859B2 (en) | Apparatus for processing network packet using service function chaining and method for controlling the same | |
CN105471662B (en) | Cloud Server, virtual network strategy centralized control system and method | |
US11665023B2 (en) | Configuration validation of a device | |
CN104253820A (en) | Software defined network safety control system and control method | |
CN105391586B (en) | A kind of method and system of fault locating analysis | |
CN103825876A (en) | Firewall policy auditing system in complex network environment | |
US20140040441A1 (en) | System and method for the configuration of a clustered simulation network | |
CN104410581A (en) | Configuration information design and information extraction of AFDX (Avionics Full Duplex Switched Ethernet) network | |
CN106650425A (en) | Method and device for controlling security sandbox | |
WO2016177071A1 (en) | Method and device for establishing service cutover plan | |
CN104125192A (en) | Virtual-machine safety protection system and method | |
RU2011116168A (en) | PROVISION OF FUNCTIONAL CAPABILITIES FOR CUSTOMER SERVICES BY IMPLEMENTATION AND BINDING OF CONTRACTS | |
CN105262604A (en) | Virtual machine migration method and equipment | |
CN109714208A (en) | A kind of equipment is included in method, storage medium and the electronic equipment of network management | |
CN111107120B (en) | Redis cluster construction method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP02 | Change in the address of a patent holder | ||
CP02 | Change in the address of a patent holder |
Address after: 523808 19th Floor, Cloud Computing Center, Chinese Academy of Sciences, No. 1 Kehui Road, Songshan Lake Hi-tech Industrial Development Zone, Dongguan City, Guangdong Province Patentee after: G-Cloud Technology Co., Ltd. Address before: 523808 No. 14 Building, Songke Garden, Songshan Lake Science and Technology Industrial Park, Dongguan City, Guangdong Province Patentee before: G-Cloud Technology Co., Ltd. |