CN104023011B - Network firewall realization method suitable for virtual machine - Google Patents
Network firewall realization method suitable for virtual machine Download PDFInfo
- Publication number
- CN104023011B CN104023011B CN201410238596.9A CN201410238596A CN104023011B CN 104023011 B CN104023011 B CN 104023011B CN 201410238596 A CN201410238596 A CN 201410238596A CN 104023011 B CN104023011 B CN 104023011B
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- firewall
- network
- rule
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the field of cloud calculation, and especially relates to a network firewall realization method suitable for a virtual machine. In the method, it has to be ensured that a host computer is provided with firewall software and has ip forwarding unlatched. A created virtual machine is connected to a network through a bridging mode; then a sub link list of the virtual machine is created on the host computer, next, a network firewall rule is selected according to the virtual machine, and the firewall rule is added to the sub link list of the virtual machine; and finally, the sub link list of the virtual machine is linked to a FARWARD list of a firewall. If a user modifies the network firewall rule, a corresponding firework rule is updated to the sub link list of the virtual machine. According to the invention, the firewall rule can be executed simply on the host computer, the installation of the firework software inside operation of the virtual machine is unnecessary, and the method saves resources and flexibly and conveniently realizes the network firewall of the virtual machine.
Description
Technical field
The present invention relates to field of cloud calculation, the implementation method of particularly a kind of network firewall suitable for virtual machine.
Background technology
In cloud computing era, provide elastic calculation resource by the form of virtual machine and use to user.Generally, a physics
Main frame can create the virtual machine of multiple stage, and manager needs the growth at double of the virtual machine of management, therefore virtual machine network
Safety is also faced with stern challenge.In the face of the problem of network security, traditional solution installs net on every virtual machine
Network firewall software, then configures corresponding firewall rule on every virtual machine.There is following drawback in this solution:
1st, network firewall management configuration trouble, arranges update modification network firewall rule every time, and user needs long-range
Log in virtual machine setting one by one.This mode needs to spend substantial amounts of artificial, and without unified showing interface modification rule
Then, easy confusion reigned.
2nd, every virtual machine needs the software of operational network fire wall, additionally takes substantial amounts of computer resource.
The content of the invention
Present invention solves the technical problem that being to provide a kind of implementation method of the network firewall for being suitable for virtual machine, solve
The drawbacks of managerial confusion, waste of resource that traditional method is present, there is provided one is saved physical resource, flexible virtual machine network
The solution of fire wall.
The present invention solves the above problems, it is characterised in that:
Comprise the steps:
Step 1:Host installs firewall software, and opens ip forwardings;
Step 2:The virtual machine that host is created connects network in the way of bridging;
Step 3:A virtual machine is often created on host and is created that new child list, the name of child list is with virtual machine name
Word is consistent;
Step 4:Child list rule is initialized on host, and is linked to FORWARD tables;
Step 5:User changes the rule of virtual machine child list by web page.
Described host can be created, delete virtual machine fire wall, addition, the rule of modification virtual machine fire wall;
Described firewall software is to operate in host, can realize that up-downgoing access strategy, ARP defence, DOS prevent
It is imperial.
Described step 2 is that virtual machine network interface is connected to linux bridges;Described bridge is equivalent in linux places
A virtual switch is realized on main frame.
The FORWARD chained lists allow network packet to be forwarded to the network interface of virtual machine again, by virtual machine subchain
The defined method of rule of table is to be let pass (accept), be refused (reject), discarding (drop) processes these packets;
Described initialization chained list is that, in order to ensure the internet security of virtual machine, default rule is:Virtual machine is descending to be
Denied access;There is no any restriction during up access;Resist the deception of ARP gateways.
User can change the firewall rule of virtual machine by web page.
Firewall rule only needs to be performed on host, without installing firewall software on a virtual machine.
Present invention achieves firewall rule only needs to be performed on host, virtual machine operations inside without the need for installing anti-again
Wall with flues software a, there is provided save resources, the implementation method of flexible virtual machine network fire wall.
Description of the drawings
Below in conjunction with the accompanying drawings the present invention is further described:
Fig. 1 is the flow chart of the present invention;
Fig. 2 is the model support composition of the present invention.
Specific embodiment
As shown in Figure 1, 2, the present invention comprises the steps:
Step 1:Host installs firewall software, and opens ip forwardings.
Step 2:The virtual machine that host is created connects network in the way of bridging;That is virtual machine network interface is connected to
Linux bridges;Described bridge on linux hosts equivalent to realizing a virtual switch.
Step 3:A virtual machine is often created on host and is created that new child list, the name of child list is with virtual machine name
Word is consistent.
Step 4:Child list rule is initialized on host, and is linked to FORWARD tables;The FORWARD chained lists
Allow network packet to be forwarded to the network interface of virtual machine again, enter by the defined method of the rule of virtual machine child list
Row clearance (accept), refusal (reject), discarding (drop) process these packets;Described initialization chained list is to protect
Hinder the internet security of virtual machine, default rule is:It is denied access that virtual machine is descending;There is no any restriction during up access
's;Resist the deception of ARP gateways.
Step 5:User changes the rule of virtual machine child list by web page;I.e. can be virtual by web page modification
The firewall rule of machine.
In aforementioned, host can be created, delete virtual machine fire wall, addition, the rule of modification virtual machine fire wall.It is anti-
Wall with flues software is to operate in host, can realize up-downgoing access strategy, ARP defence, DOS defence.
Firewall rule only needs to be performed on host, without installing firewall software on a virtual machine.
Firewall software according to the present invention has various, tells about one of which virtual machine network by taking iptables as an example below
The implementation of fire wall, flow chart is as shown in figure 1, specific implementation process is as follows
1st, perform to order in host, open the forwarding of host ip packets
#sysctl-w net.ipv4.ip_forward=1
When the 2nd, creating virtual machine, virtual machine network interface is by the way of bridge joint, and configuration file is as follows
<Interface type=" bridge ">
<Filterref filter=" no-mac-spoofing "/>
<Source bridge=" br0 "/>
<Model type=" virtio "/>
</interface>
If the 3, virtual machine id is i-abcd, i-abcd child lists are then created, then initialize child list, and be linked to
The upper ARD tables of FOR, perform order as follows:
#iptables-t filter-N i-abcd
#iptables-A FORWARD-j i-abcd
#iptables-A i-abcd-m state--state INVALID-j DROP
##iptables-A i-abcd-m state--state RELATED, ESTABLISHED-j ACCEPT
#iptables-A i-abcd-j DROP
4th, give i-abcd child lists addition rule, if allow windows remotely connect, it is allowed to can ping virtual machines,
So need to perform such as to issue orders
#iptables-I i-abcd3-p tcp--dport3389-j ACCEPT
#iptables-I i-abcd4-p icmp-m icmp-j ACCEPT
5th, certain rule of i-abcd child lists is deleted, such as deleting allows virtual machine by the rule of ping, does not allow
Windows remotely connects, then need the order for performing as follows:
#iptables-D i-abcd-p icmp-m icmp-j ACCEPT
#iptables-D i-abcd4-p tcp--dport3389-j ACCEPT
6th, when virtual machine i-abcd is deleted, the firewall rule of virtual machine i-abcd is equally deleted, and performs order such as
Under:
#iptables-D FORWARD i-abcd
#iptables-F i-abcd
#iptables-Xi-abcd。
Claims (5)
1. a kind of implementation method of the network firewall suitable for virtual machine, it is characterised in that:
Comprise the steps:
Step 1:Host installs firewall software, and opens ip forwardings;
Step 2:The virtual machine that host is created connects network in the way of bridging;
Step 3:A virtual machine is often created on host and is created that new child list, the name of child list is with virtual machine name one
Cause;
Step 4:Child list rule is initialized on host, and is linked to FORWARD tables;
Step 5:User changes the rule of virtual machine child list by web page;
The FORWARD chained lists allow network packet to be forwarded to the network interface of virtual machine again, by virtual machine child list
Regular defined method is to be let pass (accept), be refused (reject), discarding (drop) processes these packets;
Described initialization chained list is that, in order to ensure the internet security of virtual machine, default rule is:It is refusal that virtual machine is descending
Access;There is no any restriction during up access;Resist the deception of ARP gateways;
User can change the firewall rule of virtual machine by web page.
2. the implementation method of network firewall according to claim 1, it is characterised in that:Described host can be created
Build, delete virtual machine fire wall, addition, the rule of modification virtual machine fire wall;
Described firewall software is to operate in host, can realize up-downgoing access strategy, ARP defence, DOS defence.
3. the implementation method of network firewall according to claim 1, it is characterised in that:Described step 2 is virtual machine
Network interface is connected to linux bridges;Described bridge on linux hosts equivalent to realizing a virtual exchange
Machine.
4. the implementation method of network firewall according to claim 2, it is characterised in that:Described step 2 is virtual machine
Network interface is connected to linux bridges;Described bridge on linux hosts equivalent to realizing a virtual exchange
Machine.
5. a kind of method of the network firewall suitable for virtual machine according to any one of Claims 1-4, its feature exists
In:Firewall rule only needs to be performed on host, without installing firewall software on a virtual machine.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410238596.9A CN104023011B (en) | 2014-05-30 | 2014-05-30 | Network firewall realization method suitable for virtual machine |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410238596.9A CN104023011B (en) | 2014-05-30 | 2014-05-30 | Network firewall realization method suitable for virtual machine |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104023011A CN104023011A (en) | 2014-09-03 |
CN104023011B true CN104023011B (en) | 2017-04-26 |
Family
ID=51439581
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410238596.9A Active CN104023011B (en) | 2014-05-30 | 2014-05-30 | Network firewall realization method suitable for virtual machine |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104023011B (en) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104363230B (en) * | 2014-11-14 | 2018-01-12 | 山东乾云启创信息科技股份有限公司 | A kind of method that flood attack is protected in desktop virtualization |
CN104601542A (en) * | 2014-12-05 | 2015-05-06 | 国云科技股份有限公司 | DDOS (distributed denial of service) active protection method applicable to virtual machine |
CN105141608B (en) * | 2015-08-25 | 2018-09-11 | 浪潮(北京)电子信息产业有限公司 | The safety i.e. system and method for service are provided in a kind of cloud operating system |
CN108471397B (en) * | 2018-01-31 | 2020-12-15 | 华为技术有限公司 | Firewall configuration, message sending method and device |
TWI668973B (en) * | 2018-03-23 | 2019-08-11 | 中華電信股份有限公司 | Schedulable security protection system based on software-defined network and method thereof |
CN113132385B (en) * | 2021-04-20 | 2022-06-21 | 广州锦行网络科技有限公司 | Method and device for preventing gateway ARP spoofing |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103595826A (en) * | 2013-11-01 | 2014-02-19 | 国云科技股份有限公司 | Method for preventing IP and MAC of virtual machine from being faked |
-
2014
- 2014-05-30 CN CN201410238596.9A patent/CN104023011B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103595826A (en) * | 2013-11-01 | 2014-02-19 | 国云科技股份有限公司 | Method for preventing IP and MAC of virtual machine from being faked |
Also Published As
Publication number | Publication date |
---|---|
CN104023011A (en) | 2014-09-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104023011B (en) | Network firewall realization method suitable for virtual machine | |
CN103812704B (en) | A kind of public network IP dynamic management approach of Virtual machine | |
CN105100026B (en) | A kind of safe retransmission method of message and device | |
EP3228060B1 (en) | Context-aware distributed firewall | |
CN103997414B (en) | Generate method and the network control unit of configuration information | |
CN105591863B (en) | A kind of method and apparatus for realizing virtual private cloud network Yu external network intercommunication | |
CN114584465A (en) | Executing online services in a public cloud | |
JP2023530564A (en) | Flow processing offload using virtual port identifiers | |
TW201703485A (en) | Methods and systems for orchestrating physical and virtual switches to enforce security boundaries | |
WO2018044352A1 (en) | Policy definition and enforcement for a network virtualization platform | |
US10044676B2 (en) | Using headerspace analysis to identify unneeded distributed firewall rules | |
WO2016180181A1 (en) | Service function deployment method and apparatus | |
WO2018093615A1 (en) | Flow sate transfer for live migration of virtual machine | |
CN104270464A (en) | Cloud computing virtualized network architecture and optimization method | |
CN106209553A (en) | Message processing method, equipment and system | |
US11799899B2 (en) | Context-aware domain name system (DNS) query handling | |
CN112511431B (en) | Routing flow fusion method for virtual network simulation | |
CN107181691B (en) | Method, equipment and system for realizing message routing in network | |
CN106712988A (en) | Virtual network management method and device | |
US11652717B2 (en) | Simulation-based cross-cloud connectivity checks | |
JP2019097133A (en) | Communication monitoring system and communication monitoring method | |
CN104219241A (en) | ARP (address resolution protocol) attack two-way protection method applicable to virtual machine | |
CN110291764A (en) | Identify and adjust invalid firewall rule | |
US20140204937A1 (en) | Apparatus and method for relaying communication between nodes coupled through relay devices | |
WO2023116268A1 (en) | Network isolation method and system, and proxy device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP02 | Change in the address of a patent holder | ||
CP02 | Change in the address of a patent holder |
Address after: 523808 19th Floor, Cloud Computing Center, Chinese Academy of Sciences, No. 1 Kehui Road, Songshan Lake Hi-tech Industrial Development Zone, Dongguan City, Guangdong Province Patentee after: G-Cloud Technology Co., Ltd. Address before: 523808 No. 14 Building, Songke Garden, Songshan Lake Science and Technology Industrial Park, Dongguan City, Guangdong Province Patentee before: G-Cloud Technology Co., Ltd. |