Hi all, What options exists under CentOS hosts to work with isolated networks?. For example, on BSD systems it is really trivial. In FreeBSD you can use setfib tools and on OpenBSD it is possible to use rdomain options. In 30 secs it is possible to work with isolated networks and assign process, ip address and routes (hidden from the main route table and ip addresses), etc. But I can't find a similar solution for CentOS environments. I have found two similar options: a/ Network namespaces (but doesn't provides a real network isolation) b/ VRF (but it is supported only for kernels 4.8 and up) Any ideas? Thanks. -- Greetings, C. L. Martinez
for KVM guests I use VLANs S pozdravem Kristi?n Feldsam Tel.: +420 773 303 353 E-mail.: admin at feldhost.cz www.feldhost.cz - FeldHost poskytuje kvalitn? hostingov? a serverov? slu?by za p??znivou cenu. FELDSAM s.r.o. V rohu 434/3 Praha 4 ? Libu?, PS? 142 00 I?: 290 60 958, DI?: CZ290 60 958 C 200350 veden? u M?stsk?ho soudu v Praze Banka: Fio banka a.s. ??slo ??tu: 2400330446/2010 BIC: FIOBCZPPXX IBAN: CZ82 2010 0000 0024 0033 0446> On 30 Mar 2017, at 16:06, C. L. Martinez <carlopmart at gmail.com> wrote: > > Hi all, > > What options exists under CentOS hosts to work with isolated networks?. For example, on BSD systems it is really trivial. In FreeBSD you can use setfib tools and on OpenBSD it is possible to use rdomain options. In 30 secs it is possible to work with isolated networks and assign process, ip address and routes (hidden from the main route table and ip addresses), etc. > > But I can't find a similar solution for CentOS environments. I have found two similar options: > > a/ Network namespaces (but doesn't provides a real network isolation) > b/ VRF (but it is supported only for kernels 4.8 and up) > > Any ideas? > > Thanks. > > -- > Greetings, > C. L. Martinez > _______________________________________________ > CentOS-virt mailing list > CentOS-virt at centos.org > https://lists.centos.org/mailman/listinfo/centos-virt
Use libvirt with mac/ip spoofing enabled. https://libvirt.org/formatnwfilter.html https://libvirt.org/firewall.html -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message -----> From: "C. L. Martinez" <carlopmart at gmail.com> > To: centos-virt at centos.org > Sent: Thursday, 30 March, 2017 15:06:58 > Subject: [CentOS-virt] Network isolation for KVM guests> Hi all, > > What options exists under CentOS hosts to work with isolated networks?. For > example, on BSD systems it is really trivial. In FreeBSD you can use setfib > tools and on OpenBSD it is possible to use rdomain options. In 30 secs it is > possible to work with isolated networks and assign process, ip address and > routes (hidden from the main route table and ip addresses), etc. > > But I can't find a similar solution for CentOS environments. I have found two > similar options: > > a/ Network namespaces (but doesn't provides a real network isolation) > b/ VRF (but it is supported only for kernels 4.8 and up) > > Any ideas? > > Thanks. > > -- > Greetings, > C. L. Martinez > _______________________________________________ > CentOS-virt mailing list > CentOS-virt at centos.org > https://lists.centos.org/mailman/listinfo/centos-virt
On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote:> Use libvirt with mac/ip spoofing enabled. > > https://libvirt.org/formatnwfilter.html > > https://libvirt.org/firewall.html > > -- > Sent from the Delta quadrant using Borg technology! >Thanks Nux and Kristian but I don't see if these solutions will be really efective in my environment. Let me to explain. In this host I three physical interfaces: eth0, eth1 and wlan0. eth0 is connected to my internal network. eth1 is connected to a public router and wlan0 is connected to another public router. wlan0 and eth1 are bonded to provide failover Internet connections. CPU doesn't supports pci passthrough (pci passthrough would solve my problems). I need to deploy a fw vm to control traffic between internal and external interfaces. In BSD systems you can seggregate all ip address and route tables from principal routing table. It is the same effect that I would like to implement in this host. And I don't see how to implement using CentOS (or another linux distro). -- Greetings, C. L. Martinez