Prevent hijacking IPs in KVM/libvirt

qemu routing vps kvm-virtualization libvirt

You can't use switch port security on the Cisco since all the VMs will be sharing a physical switch port. And you can't use Linux iptables because the traffic is being bridged, not routed, through the hypervisor machine. But you can emulate switch port security on the hypervisor with Linux ebtables, which is a lesser-known layer 2/3 firewall on the Linux bridge. A quick and dirty example (and likely incomplete; I don't generally bother with this):

# First allow some obvious stuff; might need other things I forgot about
ebtables -A FORWARD -p IPv4 -m ip --ip-source 0.0.0.0 -j ACCEPT
ebtables -A FORWARD -p IPv6 -m ip6 --ip6-source :: -j ACCEPT

# Prevent a source MAC address from using a wrong source IP
ebtables -A FORWARD -p IPv4 -s 52:54:00:70:C1:99 -m ip --ip-source ! 192.0.2.5 -j DROP
ebtables -A FORWARD -p IPv4 -s 52:54:00:A3:09:3F -m ip --ip-source ! 192.0.2.6 -j DROP
ebtables -A FORWARD -p IPv4 -s 52:54:00:18:65:2A -m ip --ip-source ! 192.0.2.7 -j DROP

Related

Ansible conditional statement based on other roles?
Switch regions on EB CLI
Mount Point Does Not Exist, Despite Creating It
How can I encrypt CoreData contents on an iPhone
iPhone proper usage of Application Delegate
Django persistent database connection
How are Threads allocated to handle Servlet request?
Why does OpenGL use degrees instead of radians?
What exactly do you do with the transclude function and the clone linking function?
A* Algorithm for very large graphs, any thoughts on caching shortcuts?
How to run a code in an Amazone's EC2 instance?
"items list" or "item list"