Prevent hijacking IPs in KVM/libvirt
You can't use switch port security on the Cisco since all the VMs will be sharing a physical switch port. And you can't use Linux iptables
because the traffic is being bridged, not routed, through the hypervisor machine. But you can emulate switch port security on the hypervisor with Linux ebtables
, which is a lesser-known layer 2/3 firewall on the Linux bridge. A quick and dirty example (and likely incomplete; I don't generally bother with this):
# First allow some obvious stuff; might need other things I forgot about
ebtables -A FORWARD -p IPv4 -m ip --ip-source 0.0.0.0 -j ACCEPT
ebtables -A FORWARD -p IPv6 -m ip6 --ip6-source :: -j ACCEPT
# Prevent a source MAC address from using a wrong source IP
ebtables -A FORWARD -p IPv4 -s 52:54:00:70:C1:99 -m ip --ip-source ! 192.0.2.5 -j DROP
ebtables -A FORWARD -p IPv4 -s 52:54:00:A3:09:3F -m ip --ip-source ! 192.0.2.6 -j DROP
ebtables -A FORWARD -p IPv4 -s 52:54:00:18:65:2A -m ip --ip-source ! 192.0.2.7 -j DROP