CN103595826A - Method for preventing IP and MAC of virtual machine from being faked - Google Patents

Method for preventing IP and MAC of virtual machine from being faked Download PDF

Info

Publication number
CN103595826A
CN103595826A CN201310535410.1A CN201310535410A CN103595826A CN 103595826 A CN103595826 A CN 103595826A CN 201310535410 A CN201310535410 A CN 201310535410A CN 103595826 A CN103595826 A CN 103595826A
Authority
CN
China
Prior art keywords
virtual machine
mac
rule
prevents
child list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310535410.1A
Other languages
Chinese (zh)
Other versions
CN103595826B (en
Inventor
洪紫程
杨松
莫展鹏
季统凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
G Cloud Technology Co Ltd
Original Assignee
G Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by G Cloud Technology Co Ltd filed Critical G Cloud Technology Co Ltd
Priority to CN201310535410.1A priority Critical patent/CN103595826B/en
Publication of CN103595826A publication Critical patent/CN103595826A/en
Application granted granted Critical
Publication of CN103595826B publication Critical patent/CN103595826B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention relates to the field of cloud computing, in particular to a method for preventing an IP and an MAC of a virtual machine from being faked. According to the method, an ether network bridge firewall tool ebtables is installed on a physical machine; a bridging mode is adopted to a network of the appointed virtual machine when the virtual machine is built, and a filter for preventing MAC faking is used in a network interface; after the virtual machine is operated, a peripheral interface of the virtual machine is obtained on a host machine; according to the peripheral interface, a corresponding sub-chain list for preventing IP faking is built on the firewall tool; rules are additionally set in the sub-chain list, and it is appointed that any IP data package can be unacceptable; after the IP of the virtual machine is configured, a rule is additionally set in the sub-chain list, and it is appointed that only a configured IP data package of the virtual machine is acceptable; if the IP is reset, the rule that only a new IP data package can be acceptable is additionally set. According to the method, the problem that an IP address and an MAC address of the virtual machine are modified to fake a main machine identity is solved. The method can be used for faking prevention on the IP and the MAC of the virtual machine.

Description

A kind of method that prevents that virtual machine IP and MAC from forging
Technical field
The present invention relates to cloud computing field, refer in particular to a kind of method that prevents that virtual machine IP and MAC from forging.
Background technology
Under the main trend of cloud computing development, utilize cloud computing can on a station server, create many virtual machines; This is also doubled and redoubled the quantity of main frame on network, and the network configuration of a large amount of virtual machines causes difficulty to network management.The user of virtual machine forges host identities by revising the mode of IP and MAC Address, has brought huge challenge especially to network safety prevention.Prevent that at present mode that IP and MAC Address are forged from generally adopting the method for IP address and MAC Address binding, in the situation that not meeting binding condition; Dynamic Host Configuration Protocol server is distributing IP address not.There are some drawbacks in this mode:
1, by revising the configuration file of virtual machine, the MAC Address of virtual machine also can be revised, in the situation that the MAC Address of virtual machine is arranged to is consistent with the MAC Address of having bound, this mode also can be obtained IP address.
2, the user of virtual machine, after obtaining the relevant information of the network planning, can not obtain IP by Dynamic Host Configuration Protocol server, and IP is manually set, at this time unrestricted yet; And the fault that may cause IP address conflict on network, affects network security.
Summary of the invention
The technical problem that the present invention solves is to provide a kind of method that prevents that virtual machine IP and MAC from forging, and can prevent that the user of virtual machine from forging host identities by revising the mode of IP and MAC Address, to network safety prevention, brings harm and challenge.
The technical scheme that the present invention solves the problems of the technologies described above is:
Prevent the method that virtual machine IP and MAC forge, it is characterized in that:
Comprise the following steps:
Step 1 is installed Ethernet bridge firewall tool ebtables in physical machine;
Step 2, the mode of the network using bridge joint of designated virtual machine while creating virtual machine, and in network interface, use the filter that prevents MAC deception;
Step 3 after virtual machine operation, is obtained the external interface of virtual machine on host;
Step 4 according to external interface, is set up the child list that the corresponding IP of preventing forges in firewall tool;
Step 5 is added rule in child list, specifies any IP packet all can not pass through; By this configuration, make, in virtual machine inside, any IP is set and MAC is inoperative;
Step 6 after configuring virtual machine IP, is added rule in child list, specifies the packet of the virtual machine IP that only has configuration just can pass through:
Step 7, as reset IP, in child list by the redundant rule elimination of former IP, add the rule that the packet of new IP just can pass through.
Filter in described step 2 is no-mac-spoofing.
Each rule that described child list adds generates according to the network interface of virtual machine.
Described step 7 comes into force after having operated, without virtual machine network is configured.
While closing virtual machine, according to external interface, the correlator chained list and the rule thereof that belong to this interface are all deleted.
During migration virtual machine, child list and rule thereof are derived and again on destination node, set up.
Adopt method of the present invention, can prevent: 1, by revising virtual machine configuration, the MAC Address of virtual machine is modified; 2, in the situation that the MAC Address of virtual machine is arranged to the address with the consistent IP of obtaining of the MAC Address of having bound; 3, after obtaining the relevant information of the network planning, IP is manually set.Thereby guarantee network security.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the present invention is further described:
Fig. 1 is flow chart of the present invention;
Fig. 2 is specific embodiment of the invention flow chart.
Embodiment
As shown in the figure,
Idiographic flow of the present invention is as follows:
1., when creating virtual machine, need to carry out corresponding modify to virtual machine configuration libvirt.xml: because the network interface of common virtual machine is fixed, therefore only need to be as follows at the configuration file libvirt.xml of virtual machine configuration network interface card:
<interface?type=”bridge”>
<filterref?filter=“no-mac-spoofing”/>
<source?bridge="br0"/>
<model?type="virtio"/>
</interface>
2. after virtual machine creating is moved successfully, first on host, check the external interface of virtual machine, after acquisition virtual machine external interface (as vnet9), i.e. available ebtable configuration tool configures accordingly on host, to reach the control to virtual machine IP.
(1) any IP packet of configuring virtual machine all can not configure any IP packet of designated virtual machine network interface by (being that virtual machine can not arrange IP) and all can not pass through above host:
#ebtables-t nat-N I-vnet9-ipv4-ip//set up the corresponding ip of preventing to forge subchain
#ebtables-t nat-A libvirt-I-vnet9-p IPv4-j I-vnet9-ipv4-ip//subchain is placed under libvirt-I-vnet9
#ebtables-t nat-A I-vnet9-ipv4-ip-p IPv4--ip-src0.0.0.0--ip-proto udp-j RETURN//add the 1st rule
#ebtables-t nat-A I-vnet9-ipv4-ip-j DROP//add the 2nd rule
Above command execution is complete, and you arrange any ip and mac also inoperative (can not pass through the outside forwarding data bag of host) in virtual machine inside.
(2) configuring virtual machine assigned ip packet just can be by (being that virtual machine can be arranged to assigned ip)
If just specify ip when creating virtual machine, if ip is 192.168.6.200, following configuration allows the packet of this IP to pass through:
#ebtables-t nat-N I-vnet9-ipv4-ip//set up the corresponding ip of preventing to forge child list
#ebtables-t nat-A libvirt-I-vnet9-p IPv4-j I-vnet9-ipv4-ip//subchain is placed under libvirt-I-vnet9
#ebtables-t nat-A I-vnet9-ipv4-ip-p IPv4--ip-src0.0.0.0--ip-proto udp-j RETURN//add the 1st rule
#ebtables-t?nat-A?I-vnet9-ipv4-ip-p?IPv4--ip-src192.168.6.200-j?RETURN
// add above the 2nd rule: allow the packet that ip is 192.168.6.200 to pass through
3ebtables-t nat-A I-vnet9-ipv4-ip-j DROP//add the 3rd rule
3. IP is set
First obtain the network interface of virtual machine.(being for example vnet9)
(1) if virtual machine does not arrange ip before, now ip192.168.6.200 need be set, carry out so as issued orders:
#ebtables-t?nat-I?I-vnet9-ipv4-ip2-p?IPv4--ip-src192.168.6.200-j?RETURN
// this setting is to have done the operation after " any IP packet of configuring virtual machine all can not by (being that virtual machine can not arrange IP) " corresponding configuration for virtual machine: to I-vnet9-ipv4-ip subchain, add the 2nd rule, the 2nd rule before existing just becomes the 3rd rule.
(2) if virtual machine has had ip192.168.6.200, to be re-set as 192.168.6.244 now, carry out so as follows
The 2nd rule of #ebtables-t nat-D I-vnet9-ipv4-ip2//deletion I-vnet9-ipv4-ip subchain
3ebtables-t nat-I I-vnet9-ipv4-ip2-p IPv4--ip-src192.168.6.244-j RETURN//add the 2nd rule
///this setting is to have done the operation after " configuring virtual machine assigned ip packet just can by (being that virtual machine can be arranged to assigned ip) " corresponding configuration for virtual machine: first delete the 2nd rule of I-vnet9-ipv4-ip, then newly-increased the 2nd rule.
4. close virtual machine
Close after virtual machine, libvirt can delete the ebtable filtering rule of this virtual machine accordingly, so need not change here.Virtual machine is started shooting again afterwards, also must re-start virtual machine is carried out to the setting of corresponding ebtable filtering rule.
5. move virtual machine
Migration virtual machine need to also will be set up corresponding ebtables rule on target host node, and this arranges procedure of rule with establishment virtual machine time is consistent.

Claims (10)

1. prevent the method that virtual machine IP and MAC forge, it is characterized in that:
Comprise the following steps:
Step 1 is installed Ethernet bridge firewall tool ebtables in physical machine;
Step 2, the mode of the network using bridge joint of designated virtual machine while creating virtual machine, and in network interface, use the filter that prevents MAC deception;
Step 3 after virtual machine operation, is obtained the external interface of virtual machine on host;
Step 4 according to external interface, is set up the child list that the corresponding IP of preventing forges in firewall tool;
Step 5 is added rule in child list, specifies any IP packet all can not pass through; By this configuration, make, in virtual machine inside, any IP is set and MAC is inoperative;
Step 6 after configuring virtual machine IP, is added rule in child list, specifies the packet of the virtual machine IP that only has configuration just can pass through;
Step 7, as reset IP, in child list by the redundant rule elimination of former IP, add the rule that the packet of new IP just can pass through.
2. the method that prevents that virtual machine IP and MAC from forging according to claim 1, is characterized in that: the filter in described step 2 is no-mac-spoofing.
3. the method that prevents that virtual machine IP and MAC from forging according to claim 1, is characterized in that: each rule that described child list adds generates according to the network interface of virtual machine.
4. the method that prevents that virtual machine IP and MAC from forging according to claim 2, is characterized in that: each rule that described child list adds generates according to the network interface of virtual machine.
5. according to the method that virtual machine IP and MAC forge that prevents described in claim 1 to 4 any one, it is characterized in that: after described step 7 has operated, come into force, without virtual machine network is configured.
6. according to the method that virtual machine IP and MAC forge that prevents described in claim 1 to 4 any one, it is characterized in that: while closing virtual machine, according to external interface, the correlator chained list and the rule thereof that belong to this interface are all deleted.
7. the method that prevents that virtual machine IP and MAC from forging according to claim 5, is characterized in that: while closing virtual machine, according to external interface, the correlator chained list and the rule thereof that belong to this interface are all deleted.
8. according to the method that virtual machine IP and MAC forge that prevents described in claim 1 to 4 any one, it is characterized in that: during migration virtual machine, child list and rule thereof are derived and again on destination node, set up.
9. the method that prevents that virtual machine IP and MAC from forging according to claim 5, is characterized in that: during migration virtual machine, child list and rule thereof are derived and again on destination node, set up.
10. the method that prevents that virtual machine IP and MAC from forging according to claim 6, is characterized in that: during migration virtual machine, child list and rule thereof are derived and again on destination node, set up.
CN201310535410.1A 2013-11-01 2013-11-01 A kind of method preventing virtual machine IP and MAC from forging Active CN103595826B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310535410.1A CN103595826B (en) 2013-11-01 2013-11-01 A kind of method preventing virtual machine IP and MAC from forging

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310535410.1A CN103595826B (en) 2013-11-01 2013-11-01 A kind of method preventing virtual machine IP and MAC from forging

Publications (2)

Publication Number Publication Date
CN103595826A true CN103595826A (en) 2014-02-19
CN103595826B CN103595826B (en) 2016-11-02

Family

ID=50085804

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310535410.1A Active CN103595826B (en) 2013-11-01 2013-11-01 A kind of method preventing virtual machine IP and MAC from forging

Country Status (1)

Country Link
CN (1) CN103595826B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104023011A (en) * 2014-05-30 2014-09-03 国云科技股份有限公司 Network firewall realization method suitable for virtual machine
CN104219241A (en) * 2014-09-04 2014-12-17 国云科技股份有限公司 ARP (address resolution protocol) attack two-way protection method applicable to virtual machine
CN104503927A (en) * 2014-12-11 2015-04-08 国云科技股份有限公司 Method for calculating virtual machine network IO (input/output) speed
CN104717212A (en) * 2014-10-21 2015-06-17 中华电信股份有限公司 Protection method and system for cloud virtual network security
CN106559428A (en) * 2016-11-25 2017-04-05 国云科技股份有限公司 The method that a kind of anti-virtual machine IP and MAC is forged
CN107634953A (en) * 2017-09-22 2018-01-26 国云科技股份有限公司 A kind of method for preventing capacitor network ARP from cheating
CN108268300A (en) * 2016-12-30 2018-07-10 中移(苏州)软件技术有限公司 The moving method and device of a kind of virtual machine
CN110784341A (en) * 2019-10-14 2020-02-11 国云科技股份有限公司 Method for tracking virtual machine by service link
CN111565176A (en) * 2020-04-24 2020-08-21 上海沪景信息科技有限公司 Intelligent disguising host method, system, device and readable storage medium
CN113055228A (en) * 2021-03-05 2021-06-29 深圳市网心科技有限公司 Non-sensing network bridging method and device based on wireless network card
CN114785564A (en) * 2022-04-01 2022-07-22 江苏天翼安全技术有限公司 Universal method for preventing board jump machine based on Ethernet bridge rule

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN102739645A (en) * 2012-04-23 2012-10-17 杭州华三通信技术有限公司 Method and device for migrating virtual machine safety policy
CN102859934A (en) * 2009-03-31 2013-01-02 考持·维 System and method for access management and security protection for network accessible computer services

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102859934A (en) * 2009-03-31 2013-01-02 考持·维 System and method for access management and security protection for network accessible computer services
CN102571698A (en) * 2010-12-17 2012-07-11 中国移动通信集团公司 Access authority control method, system and device for virtual machine
CN102739645A (en) * 2012-04-23 2012-10-17 杭州华三通信技术有限公司 Method and device for migrating virtual machine safety policy

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张建中: "基于Linux包过滤防火墙的研究与实现", 《中国优秀硕士学位论文全文数据库》, no. 1, 15 March 2004 (2004-03-15) *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104023011B (en) * 2014-05-30 2017-04-26 国云科技股份有限公司 Network firewall realization method suitable for virtual machine
CN104023011A (en) * 2014-05-30 2014-09-03 国云科技股份有限公司 Network firewall realization method suitable for virtual machine
CN104219241A (en) * 2014-09-04 2014-12-17 国云科技股份有限公司 ARP (address resolution protocol) attack two-way protection method applicable to virtual machine
CN104717212A (en) * 2014-10-21 2015-06-17 中华电信股份有限公司 Protection method and system for cloud virtual network security
CN104717212B (en) * 2014-10-21 2018-05-11 中华电信股份有限公司 Protection method and system for cloud virtual network security
CN104503927A (en) * 2014-12-11 2015-04-08 国云科技股份有限公司 Method for calculating virtual machine network IO (input/output) speed
CN106559428A (en) * 2016-11-25 2017-04-05 国云科技股份有限公司 The method that a kind of anti-virtual machine IP and MAC is forged
CN108268300B (en) * 2016-12-30 2022-01-25 中移(苏州)软件技术有限公司 Virtual machine migration method and device
CN108268300A (en) * 2016-12-30 2018-07-10 中移(苏州)软件技术有限公司 The moving method and device of a kind of virtual machine
CN107634953A (en) * 2017-09-22 2018-01-26 国云科技股份有限公司 A kind of method for preventing capacitor network ARP from cheating
CN110784341A (en) * 2019-10-14 2020-02-11 国云科技股份有限公司 Method for tracking virtual machine by service link
CN111565176A (en) * 2020-04-24 2020-08-21 上海沪景信息科技有限公司 Intelligent disguising host method, system, device and readable storage medium
CN111565176B (en) * 2020-04-24 2022-04-08 上海沪景信息科技有限公司 Intelligent disguising host method, system, device and readable storage medium
CN113055228A (en) * 2021-03-05 2021-06-29 深圳市网心科技有限公司 Non-sensing network bridging method and device based on wireless network card
CN114785564A (en) * 2022-04-01 2022-07-22 江苏天翼安全技术有限公司 Universal method for preventing board jump machine based on Ethernet bridge rule

Also Published As

Publication number Publication date
CN103595826B (en) 2016-11-02

Similar Documents

Publication Publication Date Title
CN103595826A (en) Method for preventing IP and MAC of virtual machine from being faked
US11570148B2 (en) Method and apparatus for deploying security access control policy
EP3373518B1 (en) Service configuration method and device for network service
CN104753697B (en) A kind of method, equipment and system controlling the automatic beginning of the network equipment
RU2018117280A (en) SOFTWARE-DEFINED AUTOMATED SYSTEM AND ARCHITECTURE
CN107276798B (en) Method and device for realizing virtualized network service function chain
CN108829384A (en) Management method, device, computer equipment and the storage medium of container
CN111880901B (en) Network configuration method, device, equipment and readable storage medium
CN109284140B (en) Configuration method and related equipment
CN105337831B (en) The implementation method and client device of Virtual Private Network
US10050859B2 (en) Apparatus for processing network packet using service function chaining and method for controlling the same
CN105471662B (en) Cloud Server, virtual network strategy centralized control system and method
US11665023B2 (en) Configuration validation of a device
CN104253820A (en) Software defined network safety control system and control method
CN105391586B (en) A kind of method and system of fault locating analysis
CN103825876A (en) Firewall policy auditing system in complex network environment
US20140040441A1 (en) System and method for the configuration of a clustered simulation network
CN104410581A (en) Configuration information design and information extraction of AFDX (Avionics Full Duplex Switched Ethernet) network
CN106650425A (en) Method and device for controlling security sandbox
WO2016177071A1 (en) Method and device for establishing service cutover plan
CN104125192A (en) Virtual-machine safety protection system and method
RU2011116168A (en) PROVISION OF FUNCTIONAL CAPABILITIES FOR CUSTOMER SERVICES BY IMPLEMENTATION AND BINDING OF CONTRACTS
CN105262604A (en) Virtual machine migration method and equipment
CN109714208A (en) A kind of equipment is included in method, storage medium and the electronic equipment of network management
CN111107120B (en) Redis cluster construction method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 523808 19th Floor, Cloud Computing Center, Chinese Academy of Sciences, No. 1 Kehui Road, Songshan Lake Hi-tech Industrial Development Zone, Dongguan City, Guangdong Province

Patentee after: G-Cloud Technology Co., Ltd.

Address before: 523808 No. 14 Building, Songke Garden, Songshan Lake Science and Technology Industrial Park, Dongguan City, Guangdong Province

Patentee before: G-Cloud Technology Co., Ltd.