Linux-KVM / iptables: prevent guest spoofing by matching ip+mac address on bridge?

security iptables kvm-virtualization spoofing

As far as I can see you just can't do some of the things you need to do with iptables. You need filtering at the bridge level. You should probably take a look at ebtables - it's like iptables for bridges.

Manual: http://ebtables.sourceforge.net/misc/ebtables-man.html


I tried to make a template for the simple set of iptables rules for your problem, try this out:

iptables -t filter -A FORWARD -m physdev --physdev-in $LINK_FOR_THE_VM --physdev-is-bridged -j ${VMID}-out
iptables -t filter -A ${VMID}-out -m mac ! --mac-source $MAC_ADDR_FOR_THE_VIRTUAL_NIC -j DROP
iptables -t filter -A ${VMID}-out -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
iptables -t filter -A ${VMID}-out ! -s $PERMITTED_IP_ADDR_FOR_THE_VM -j DROP
iptables -t filter -A ${VMID}-out -j RETURN

Here is an example:

iptables -t filter -A FORWARD -m physdev --physdev-in vm10 --physdev-is-bridged -j 10-out
iptables -t filter -A 10-out -m mac ! --mac-source 52:54:5a:8d:77:8e -j DROP
iptables -t filter -A 10-out -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
iptables -t filter -A 10-out ! -s 192.168.1.205 -j DROP
iptables -t filter -A 10-out -j RETURN

Related

Is my server being used as a proxy or is a DOS underway? Lots of traffic in my apache log
How to best optimize an Oracle database for writes?
How to interconnect 2 switches (Cisco/Dell) with trunks
What is a good sendmail log analyzer?
How to hack airport extreme to support USB 3G modem? [closed]
Setting up SSL on apache on linux ubuntu
apache force if url has specific pattern redirect to https [duplicate]
How to setup IP alias on bridged interface in Ubuntu
VSFTPD says "500 OOPS: cannot change directory"
%CPU for a process
EXIM: Relay to Office 365
Does sending e-mail in the name of customers increase the risk of being marked as spammer?