[pve-devel] RFC : iptables implementation
Alexandre DERUMIER
aderumier at odiso.com
Fri Jan 24 06:52:54 CET 2014
>>The problem is that all routed traffic from HOST to VM is allowed. So a good test
>>would be trying to block something.
yes, but return packet (tap-->input) is blocked, so you can't established a connection
iptables -A INPUT -m physdev --physdev-in tap115i0 -j DROP
or
iptables -A INPUT -m mac --mac-source 32:36:8A:E1:B5:65 -j DROP
host : 10.3.94.31
guest : 10.3.94.201
#ping 10.3.94.201
host---->tap : allowed
Jan 24 06:49:18 kvmtest1 kernel: [318034.190051] ALLTRAFFICOUTPUT: IN= OUT=vmbr1 SRC=10.3.94.31 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7239 SEQ=21
tap-->host : dropped
Jan 24 06:49:18 kvmtest1 kernel: [318034.190194] ALLTRAFFICINPUT: IN=vmbr1 OUT= PHYSIN=tap115i0 MAC=00:1a:a0:3c:98:c5:32:36:8a:e1:b5:65:08:00 SRC=10.3.94.201 DST=10.3.94.31 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32747 PROTO=ICMP TYPE=0 CODE=0 ID=7239 SEQ=21
another way should be to block guest ip in OUTPUT, but we need to known the ip address of the guest.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Jeudi 23 Janvier 2014 10:55:50
Objet: RE: [pve-devel] RFC : iptables implementation
> >>Maybe no big problem unless the user assigns IP addresses to multiple
> bridges.
>
> I'll do test today. Because I known openstack can use dhcpd from host
The problem is that all routed traffic from HOST to VM is allowed. So a good test
would be trying to block something.
More information about the pve-devel
mailing list