0

I have one Debian server with one network interface, I've configured a bridge for KVM and shorewall with two zones in the same interface so I have the "net" zone and the "kvm" for kvm guests, here is the relevant files in /etc/shorewall:

interfaces

#ZONE   INTERFACE       OPTIONS
net     br0             tcpflags,logmartians,nosmurfs,sourceroute=0,dhcp

zones

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
kvm:net ipv4

hosts

#ZONE           HOSTS                           OPTIONS
kvm             br0:192.168.1.0/24              -

the kvm zone is a sub-zone for the net zone, now I want to provide network access to kvm guests:

snat

#ACTION            SOURCE            DEST 
MASQUERADE        192.168.1.0/24     br0

and finally this is the policy file:

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             all             ACCEPT
kvm             net             ACCEPT
kvm             $FW             DROP            info
net             all             DROP            #info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          #info

I've also configured a dhcp server to provide IP to the guests, and allowed ip_forward in shorewall.conf

everything is working, but I'm seeing a lot of neighbour servers making requests to the dhcp server and getting IP from it.

If I am understanding this correctly, every neighbor that uses my kvm IP range is part of my kvm zone and is getting Internet access through my firewall

I thought in filtering kvm zone members by mac address but I don't think it is a good solution since mac addresses can be set easily, how can I solve this?

Lluís
  • 425
  • 1
  • 4
  • 21
  • To clarify, you want guest machines to have internet access but not non guests that are connected to the kvm network? – wrieedx Mar 14 '18 at 01:43

1 Answers1

0

If I am understanding your situation correctly, you want to separate your guests from your non-guests and and control their internet and service access differently using shorewall. The easiest way to do this I think would be to separate these two groups out into different zones. The guests would be connected to a private bridge and the non-guests would be connected to the lan. I created some example config files below to illustrate my point. I don't know to what extent you want non-guests accessing the internet or services in the kvm network, so for the sake of simplicity I blocked internet access and allowed access to all services.

interfaces

#ZONE   INTERFACE       OPTIONS
kvm     br0
net     eth0             tcpflags,logmartians,nosmurfs,sourceroute=0,dhcp

zones

#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
kvm     ipv4
lan:net ipv4

hosts

#ZONE           HOSTS                           OPTIONS
lan             eth0:192.168.1.0/24

policy

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
$FW             all             ACCEPT
kvm             net             ACCEPT
kvm             lan             ACCEPT
kvm             $FW             DROP            info
lan             net             DROP
lan             kvm             ACCEPT
lan             $FW             DROP
net             all             DROP            #info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          #info
wrieedx
  • 700
  • 3
  • 11
  • 22
  • I only have one interface, how can I create a private bridge? which interfaces would be members of it? – Lluís Mar 14 '18 at 16:51