[pve-devel] RFC : iptables implementation

Dietmar Maurer dietmar at proxmox.com
Fri Jan 24 07:05:03 CET 2014


> >>The problem is that all routed traffic from HOST to VM is allowed. So
> >>a good test would be trying to block something.
> 
> yes, but return packet (tap-->input) is blocked, so you can't established a
> connection


> iptables -A INPUT -m physdev --physdev-in tap115i0 -j DROP
> 
> or
> 
> iptables -A INPUT -m mac --mac-source 32:36:8A:E1:B5:65 -j DROP

That is the other direction? I talk about OUTPUT from HOST into VM

> 
> host : 10.3.94.31
> guest : 10.3.94.201
> 
> #ping 10.3.94.201
> 
> host---->tap : allowed
> Jan 24 06:49:18 kvmtest1 kernel: [318034.190051] ALLTRAFFICOUTPUT: IN=
> OUT=vmbr1 SRC=10.3.94.31 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00
> TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7239 SEQ=21

exactly. What if I want to block that?

If you have several bridges with assigned IPs, traffic can be routed from one
VM to another VM on different bridge. This will bypass all your firewall rules!



More information about the pve-devel mailing list