[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Fri Jan 24 08:21:14 CET 2014 

>>If you have several bridges with assigned IPs, traffic can be routed from one 
>>VM to another VM on different bridge. This will bypass all your firewall rules! 

Can you provide an network schema with guest and bridge ip address for this example ?




----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Vendredi 24 Janvier 2014 07:59:40 
Objet: Re: [pve-devel] RFC : iptables implementation 

>>That is the other direction? I talk about OUTPUT from HOST into VM 

I wanted to say,that connection can't be established because the return packet is blocked in input. 
But indeed, they are incoming packets from host to tap. 
(I have tested with ping and ssh from host to guest , I never get response if I filter INPUT) 


>> Jan 24 06:49:18 kvmtest1 kernel: [318034.190051] ALLTRAFFICOUTPUT: IN= 
>>> OUT=vmbr1 SRC=10.3.94.31 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00 
>>> TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7239 SEQ=21 
>> 
>>exactly. What if I want to block that? 

only way is to block dst ip in OUTPUT, but we need to known the guest ip 


>>If you have several bridges with assigned IPs, traffic can be routed from one 
>>VM to another VM on different bridge. This will bypass all your firewall rules! 

I'll test that today 


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Vendredi 24 Janvier 2014 07:05:03 
Objet: RE: [pve-devel] RFC : iptables implementation 

> >>The problem is that all routed traffic from HOST to VM is allowed. So 
> >>a good test would be trying to block something. 
> 
> yes, but return packet (tap-->input) is blocked, so you can't established a 
> connection 


> iptables -A INPUT -m physdev --physdev-in tap115i0 -j DROP 
> 
> or 
> 
> iptables -A INPUT -m mac --mac-source 32:36:8A:E1:B5:65 -j DROP 

That is the other direction? I talk about OUTPUT from HOST into VM 

> 
> host : 10.3.94.31 
> guest : 10.3.94.201 
> 
> #ping 10.3.94.201 
> 
> host---->tap : allowed 
> Jan 24 06:49:18 kvmtest1 kernel: [318034.190051] ALLTRAFFICOUTPUT: IN= 
> OUT=vmbr1 SRC=10.3.94.31 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00 
> TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7239 SEQ=21 

exactly. What if I want to block that? 

If you have several bridges with assigned IPs, traffic can be routed from one 
VM to another VM on different bridge. This will bypass all your firewall rules! 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

More information about the pve-devel mailing list