Prevent hijacking IPs in KVM/libvirt

user3400748 asked:

How can I prevent a VM user/client from accessing IP addresses he doesn’t own but are routed over the same bridge on KVM/Libvirt?

IP addresses are routed to a cisco switch vLan consisting of a /24 254 usable addresses eg. 105.100.1.0/24.

Here is an example of the setup.

VM1 - 105.100.1.5
VM2 - 105.100.1.6
VM3 - 105.100.1.7

How can I prevent VM1 from accessing addresses that he doesn’t own?

My answer:


You can’t use switch port security on the Cisco since all the VMs will be sharing a physical switch port. And you can’t use Linux iptables because the traffic is being bridged, not routed, through the hypervisor machine. But you can emulate switch port security on the hypervisor with Linux ebtables, which is a lesser-known layer 2/3 firewall on the Linux bridge. A quick and dirty example (and likely incomplete; I don’t generally bother with this):

# First allow some obvious stuff; might need other things I forgot about
ebtables -A FORWARD -p IPv4 -m ip --ip-source 0.0.0.0 -j ACCEPT
ebtables -A FORWARD -p IPv6 -m ip6 --ip6-source :: -j ACCEPT

# Prevent a source MAC address from using a wrong source IP
ebtables -A FORWARD -p IPv4 -s 52:54:00:70:C1:99 -m ip --ip-source ! 192.0.2.5 -j DROP
ebtables -A FORWARD -p IPv4 -s 52:54:00:A3:09:3F -m ip --ip-source ! 192.0.2.6 -j DROP
ebtables -A FORWARD -p IPv4 -s 52:54:00:18:65:2A -m ip --ip-source ! 192.0.2.7 -j DROP

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.