3

I have my KVM guests on a standard br0 bridge setup:

auto br0
iface br0 inet static
   address 192.168.1.117
   netmask 255.255.255.0
   network 192.168.1.1
   broadcast 192.168.1.225
   gateway 192.168.1.1
   bridge_ports eth0
   bridge_stp off
   bridge_fd 0

auto eth1
iface eth1 inet static
address 10.0.0.117
netmask 255.255.255.0
gateway 10.0.0.1
broadcast 10.0.0.225

eth1 is reserved for other traffic but a guest could simply change it's ip to connect to it.

What I am trying to achieve is dropping all traffic towards the host / outside / other guest as soon as a guest attempts to change either it's ip address or mac address (in an attempt to join the other network / spoof another guest)

I tried many interfaces (eth0, br0, tap0, tap+) but I cannot seem to get my rule right:

iptables -A INPUT -m physdev --physdev-in tap+ --physdev-out tap+ -s 192.168.1.205 -m mac ! --mac-source 52:54:5a:8d:77:8e -j DROP

IP forwarding is enabled- there are no other rules in iptables. Am I missing something- or even should I consider try to achieve this another way?

Matt
  • 295
  • 2
  • 10

2 Answers2

2

I tried to make a template for the simple set of iptables rules for your problem, try this out:

iptables -t filter -A FORWARD -m physdev --physdev-in $LINK_FOR_THE_VM --physdev-is-bridged -j ${VMID}-out
iptables -t filter -A ${VMID}-out -m mac ! --mac-source $MAC_ADDR_FOR_THE_VIRTUAL_NIC -j DROP
iptables -t filter -A ${VMID}-out -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
iptables -t filter -A ${VMID}-out ! -s $PERMITTED_IP_ADDR_FOR_THE_VM -j DROP
iptables -t filter -A ${VMID}-out -j RETURN

Here is an example:

iptables -t filter -A FORWARD -m physdev --physdev-in vm10 --physdev-is-bridged -j 10-out
iptables -t filter -A 10-out -m mac ! --mac-source 52:54:5a:8d:77:8e -j DROP
iptables -t filter -A 10-out -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
iptables -t filter -A 10-out ! -s 192.168.1.205 -j DROP
iptables -t filter -A 10-out -j RETURN
Dewr
  • 121
  • 4
1

As far as I can see you just can't do some of the things you need to do with iptables. You need filtering at the bridge level. You should probably take a look at ebtables - it's like iptables for bridges.

Manual: http://ebtables.sourceforge.net/misc/ebtables-man.html

Eduardo Ivanec
  • 14,531
  • 1
  • 35
  • 42