[PVE-User] IP / MacAddress restriction for QEMU

Sten Aus sten.aus at eenet.ee
Mon Mar 9 22:05:49 CET 2015


Is it possible to do this dynamically using open vSwitch?

On 09.03.15 22:15, Leslie-Alexandre DENIS wrote:
> Hello,
>
> personally I use one bridge per VM and add a route to the IP's VM 
> using the latter. Under Debian the route can be added automatically 
> after the up of the interface with configuration like this :
>
> auto vmbr0
>
> iface vmbr0 inet static
>
> address<main host ip>
>
> netmask255.255.255.255
>
> bridge_ports none
>
> bridge_stp off
>
> bridge_fd 0
>
> up ip route add <additional ip>/32 dev vmbr0
>
> up ip route add <another additional ip>/32 dev vmbr0
>
>
> As far as I know you can reuse the host's IP (main IP of the Proxmox 
> node) on every bridge (vmbrX).
>
> This setup ensures that the traffic will be routed to the correct VM, 
> even if the client changes the IP configuration inside the machine. If 
> he does so, the machine won't be routed so unavailable.
>
> That's it, I'll be very pleased to enhance this setup because I think 
> it's a major feature for a virtualization host.
>
> Regards,
>
> Le 09/03/2015 19:09, Fabrizio Cuseo a écrit :
>> Hello there.
>>
>> I would like to know if there is already some module to create a restriction for IP/MacAddress.
>>
>> For "low cost" VPS, creating a dedicated vlan, using a /30 network, configuring a network interface on the firewall, is too expensive.
>>
>> So i would like to use the whole /24 network, and give one address to each vps; i also need to forbid any ip change.
>>
>> The fastest way is to create an ebtables rule, but it will be simpler if on the VM details i can check a radio button "restrict ip address" and write the ip address. It will generate on all the nodes, two ebtables rules:
>>
>> ebtables -A FORWARD -i ${network_device} -s ! ${mac_address} -j DROP
>> ebtables -A FORWARD -s ${mac_address} -p IPv4 --ip-src ! ${ip_address} -j DROP
>>
>> It will work (for now) only for IPv4 address, but it can be enough for now.
>>
>> Regards, Fabrizio
>>
>
>
>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pve-user/attachments/20150309/c7c25e94/attachment-0015.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3227 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://pve.proxmox.com/pipermail/pve-user/attachments/20150309/c7c25e94/attachment-0015.bin>


More information about the pve-user mailing list