[libvirt-users] Isolate VMs' network
Timo Juhani Lindfors
timo.lindfors at iki.fi
Mon Jun 5 14:33:29 UTC 2017
Thiago Oliveira <cpv.thiago at gmail.com> writes:
> Could you please show me a rule example that you are using?
Here are some rules I'm using on a development VM. I think most of the
ideas come from the ebtables rules used by libvirt itself. These just
prevent IP spoofing. After this you can use IP addresses for access
control much better.
ebtables -t nat -A PREROUTING -i dev-home -j i-dev
ebtables -t nat -A POSTROUTING -o dev-home -j o-dev
ebtables -t nat -A i-dev -p IPv4 -j i-dev-ipv4
ebtables -t nat -A i-dev -p ARP -j i-dev-arp
ebtables -t nat -A i-dev -j DROP
ebtables -t nat -A o-dev -p IPv4 -j o-dev-ipv4
ebtables -t nat -A o-dev -p ARP -j o-dev-arp
ebtables -t nat -A o-dev -j DROP
ebtables -t nat -A i-dev-ipv4 -s ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-ipv4 -p IPv4 --ip-src ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-ipv4 -p IPv4 --ip-dst ! [CENSORED] -j DROP
ebtables -t nat -A o-dev-ipv4 -p IPv4 --ip-src ! [CENSORED] -j DROP
ebtables -t nat -A o-dev-ipv4 -j ACCEPT
ebtables -t nat -A i-dev-arp -s ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-arp -p ARP --arp-mac-src ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-arp -p ARP --arp-ip-src ! [CENSORED] -j DROP
ebtables -t nat -A i-dev-arp -p ARP --arp-op Request -j ACCEPT
ebtables -t nat -A i-dev-arp -p ARP --arp-op Reply -j ACCEPT
ebtables -t nat -A i-dev-arp -j DROP
ebtables -t nat -A o-dev-arp -p ARP --arp-op Reply --arp-mac-dst ! [CENSORED] -j DROP
ebtables -t nat -A o-dev-arp -p ARP --arp-ip-dst ! [CENSORED] -j DROP
ebtables -t nat -A o-dev-arp -p ARP --arp-op Request -j ACCEPT
ebtables -t nat -A o-dev-arp -p ARP --arp-op Reply -j ACCEPT
ebtables -t nat -A o-dev-arp -j DROP
-Timo
More information about the libvirt-users
mailing list