[PVE-User] IP / MacAddress restriction for QEMU
Leslie-Alexandre DENIS
infoslad at gmail.com
Mon Mar 9 21:15:09 CET 2015
Hello,
personally I use one bridge per VM and add a route to the IP's VM using
the latter. Under Debian the route can be added automatically after the
up of the interface with configuration like this :
auto vmbr0
iface vmbr0 inet static
address<main host ip>
netmask255.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
up ip route add <additional ip>/32 dev vmbr0
up ip route add <another additional ip>/32 dev vmbr0
As far as I know you can reuse the host's IP (main IP of the Proxmox
node) on every bridge (vmbrX).
This setup ensures that the traffic will be routed to the correct VM,
even if the client changes the IP configuration inside the machine. If
he does so, the machine won't be routed so unavailable.
That's it, I'll be very pleased to enhance this setup because I think
it's a major feature for a virtualization host.
Regards,
Le 09/03/2015 19:09, Fabrizio Cuseo a écrit :
> Hello there.
>
> I would like to know if there is already some module to create a restriction for IP/MacAddress.
>
> For "low cost" VPS, creating a dedicated vlan, using a /30 network, configuring a network interface on the firewall, is too expensive.
>
> So i would like to use the whole /24 network, and give one address to each vps; i also need to forbid any ip change.
>
> The fastest way is to create an ebtables rule, but it will be simpler if on the VM details i can check a radio button "restrict ip address" and write the ip address. It will generate on all the nodes, two ebtables rules:
>
> ebtables -A FORWARD -i ${network_device} -s ! ${mac_address} -j DROP
> ebtables -A FORWARD -s ${mac_address} -p IPv4 --ip-src ! ${ip_address} -j DROP
>
> It will work (for now) only for IPv4 address, but it can be enough for now.
>
> Regards, Fabrizio
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20150309/8f4573d3/attachment.htm>
More information about the pve-user
mailing list