thr3ads.net - libvirt users - Re: [libvirt-users] Isolate VMs' network [Jun 2017]

If this information is useful, please help other people find it:
Share via:

Timo Juhani Lindfors

2017-Jun-05 13:48 UTC

Re: [libvirt-users] Isolate VMs' network

Hi,

Thiago Oliveira <cpv.thiago@gmail.com> writes:> I would like to know the same! Currently I am using iptables to do it.
I use ebtables.

-Timo

Thiago Oliveira

2017-Jun-05 14:07 UTC

head link

Re: [libvirt-users] Isolate VMs' network

Hi Timo,

Could you please show me a rule example that you are using?

Thank you.

Thiago

2017-06-05 10:48 GMT-03:00 Timo Juhani Lindfors <timo.lindfors@iki.fi>:
> Hi,
>
> Thiago Oliveira <cpv.thiago@gmail.com> writes:
> > I would like to know the same! Currently I am using iptables to do it.
>
> I use ebtables.
>
> -Timo
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users@redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users
>

Timo Juhani Lindfors

2017-Jun-05 14:33 UTC

head link

Re: [libvirt-users] Isolate VMs' network

Thiago Oliveira <cpv.thiago@gmail.com> writes:> Could you please show me a rule example that you are using?
Here are some rules I'm using on a development VM. I think most of the
ideas come from the ebtables rules used by libvirt itself. These just
prevent IP spoofing. After this you can use IP addresses for access
control much better.

ebtables -t nat -A PREROUTING -i dev-home -j i-dev
ebtables -t nat -A POSTROUTING -o dev-home -j o-dev

ebtables -t nat -A i-dev -p IPv4 -j i-dev-ipv4
ebtables -t nat -A i-dev -p ARP -j i-dev-arp
ebtables -t nat -A i-dev -j DROP

ebtables -t nat -A o-dev -p IPv4 -j o-dev-ipv4
ebtables -t nat -A o-dev -p ARP -j o-dev-arp
ebtables -t nat -A o-dev -j DROP

ebtables -t nat -A i-dev-ipv4 -s ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-ipv4 -p IPv4 --ip-src ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-ipv4 -p IPv4 --ip-dst ! [CENSORED] -j DROP

ebtables -t nat -A o-dev-ipv4 -p IPv4 --ip-src ! [CENSORED] -j DROP
ebtables -t nat -A o-dev-ipv4 -j ACCEPT

ebtables -t nat -A i-dev-arp -s ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-arp -p ARP --arp-mac-src ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-arp -p ARP --arp-ip-src ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-arp -p ARP --arp-op Request -j ACCEPT
ebtables -t nat -A i-dev-arp -p ARP --arp-op Reply -j ACCEPT
ebtables -t nat -A i-dev-arp -j DROP

ebtables -t nat -A o-dev-arp -p ARP --arp-op Reply --arp-mac-dst ! [CENSORED] -j
DROP
ebtables -t nat -A o-dev-arp -p ARP --arp-ip-dst ! [CENSORED] -j DROP
ebtables -t nat -A o-dev-arp -p ARP --arp-op Request -j ACCEPT
ebtables -t nat -A o-dev-arp -p ARP --arp-op Reply -j ACCEPT
ebtables -t nat -A o-dev-arp -j DROP

-Timo

Possibly Parallel Threads

Search for more maybe matching threads

libvirt users - Jun 2017 - Re: Isolate VMs' network

Re: [libvirt-users] Isolate VMs' network

Re: [libvirt-users] Isolate VMs' network

Re: [libvirt-users] Isolate VMs' network

Possibly Parallel Threads