[pve-devel] RFC : iptables implementation
Alexandre DERUMIER
aderumier at odiso.com
Fri Jan 24 09:03:28 CET 2014
>>vmbr0(10.1.0.1/24) => VM1(10.1.0.2)
>>
>>vmbr1(10.2.0.1/24) => VM2(10.2.0.2)
>>
>>So traffic from VM1 to VM2 is enabled without firewall when you use gateway 10.1.0.1
ah ok, I understand. But isn't it blocked by the INPUT rule on host ? (10.1.0.2->10.1.0.1)
I'll do test today.
If we really want to block host->tap, without known ip in guest,
we could also only allow known authorized ips in output
iptables -A -OUTPUT -d kvmhost1 -j ACCEPT
iptables -A -OUTPUT -d kvmhost2 -j ACCEPT
iptables -A -OUTPUT -d adminip -j ACCEPT
iptables -j DROP
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Vendredi 24 Janvier 2014 08:57:06
Objet: RE: [pve-devel] RFC : iptables implementation
> >>If you have several bridges with assigned IPs, traffic can be routed
> >>from one VM to another VM on different bridge. This will bypass all your
> firewall rules!
>
> Can you provide an network schema with guest and bridge ip address for this
> example ?
vmbr0(10.1.0.1/24) => VM1(10.1.0.2)
vmbr1(10.2.0.1/24) => VM2(10.2.0.2)
So traffic from VM1 to VM2 is enabled without firewall when you use gateway 10.1.0.1
More information about the pve-devel
mailing list