2

I have a Debian 11 server and I am running a Qemu/KVM virtual machine on it created via Qemu commands, there is a bridge device on the server named br0 and the VM has a TAP device named vm0.

I want to avoid MAC/IP spoofing by creating an nft ruleset.

I've tried the following but it doesn't work meaning when I change the MAC address via the macchanger tool the packets don't drop:

nft add table bridge filter
nft add chain bridge filter forward \{ type filter hook forward priority filter \; policy accept \;}
nft add rule bridge filter forward iifname vm0 ether type ip ether saddr != <MAC_ADDR_ALLOWED> ether type ip ip saddr != <IP_ADDR_ALLOWED> drop

The output of the nft list ruleset looks like below:

table bridge filter {
        chain forward {
                type filter hook forward priority filter; policy accept;
                iifname "vm0" ether type ip ether saddr != <MAC_ADDR_ALLOWED> ip <IP_ADDR_ALLOWED> drop
        }
}

I reckon I'm doing something wrong, any help is appreciated,

Question: How to create a valid rule?

Thanks in advance.

Skipper
  • 63
  • 9

1 Answers1

0

The correct way to achieve this is as follows:

nft add table bridge filter
nft add chain bridge filter forward '{ type filter hook forward priority filter; policy accept }'
nft add chain bridge filter allowed-mac
nft add rule bridge filter forward iifname "vm0" ether type ip jump allowed-mac
nft add rule bridge filter allowed-mac ether type ip ether saddr <MAC_ADDR_ALLOWED> ip saddr <IP_ADDR_ALLOWED> accept
nft add rule bridge filter allowed-mac drop

Which gives the following output:

nft list ruleset                           
table bridge filter {
        chain forward {
                type filter hook forward priority filter; policy accept;
                iifname "vm0" ether type ip jump allowed-mac
        }

        chain allowed-mac {
                ether saddr <MAC_ADDR_ALLOWED> ip saddr <IP_ADDR_ALLOWED> accept
                drop
        }
}

There is a fully explained post here

Skipper
  • 63
  • 9