How can I prevent a VM user/client from accessing IP addresses he doesn’t own but are routed over the same bridge on KVM/Libvirt?
IP addresses are routed to a cisco switch vLan consisting of a /24 254 usable addresses eg. 220.127.116.11/24.
Here is an example of the setup.
VM1 - 18.104.22.168 VM2 - 22.214.171.124 VM3 - 126.96.36.199
How can I prevent VM1 from accessing addresses that he doesn’t own?
You can’t use switch port security on the Cisco since all the VMs will be sharing a physical switch port. And you can’t use Linux
iptables because the traffic is being bridged, not routed, through the hypervisor machine. But you can emulate switch port security on the hypervisor with Linux
ebtables, which is a lesser-known layer 2/3 firewall on the Linux bridge. A quick and dirty example (and likely incomplete; I don’t generally bother with this):
# First allow some obvious stuff; might need other things I forgot about ebtables -A FORWARD -p IPv4 -m ip --ip-source 0.0.0.0 -j ACCEPT ebtables -A FORWARD -p IPv6 -m ip6 --ip6-source :: -j ACCEPT # Prevent a source MAC address from using a wrong source IP ebtables -A FORWARD -p IPv4 -s 52:54:00:70:C1:99 -m ip --ip-source ! 192.0.2.5 -j DROP ebtables -A FORWARD -p IPv4 -s 52:54:00:A3:09:3F -m ip --ip-source ! 192.0.2.6 -j DROP ebtables -A FORWARD -p IPv4 -s 52:54:00:18:65:2A -m ip --ip-source ! 192.0.2.7 -j DROP
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.