Unix Server Tech Knowledge Base

User Tools

Site Tools

Trace:
unix:virtualization:kvm:ebtables

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Last revisionBoth sides next revision
unix:virtualization:kvm:ebtables [2022/07/22 16:11] rodolicounix:virtualization:kvm:ebtables [2022/07/22 16:22] rodolico
Line 13: Line 13:
 | router | 00:16:3e:bd:26:71 | this is the router | | router | 00:16:3e:bd:26:71 | this is the router |
 | manage | 00:16:3e:37:26:72 | this is the one internal machine which may be reached | | manage | 00:16:3e:37:26:72 | this is the one internal machine which may be reached |
 +
 +Win10 is a //virtual// inside our network. We need to be able to access it from //manage//, and also it needs to access the Internet via //router//. We also want to access //Win10// via RDP over VPN. However, //Win10// should not 'see' anything else on our network.
 +
 +ebtables works with MAC addresses, so we track the MAC's. The above MAC's are samples randomly chosen from those assigned for some forms of virtualization; use your own MAC addresses.
 +
 +Basically, we add rules to allow access between //Win10// and //router//, and //Win10// and //manage//, then we add rules to not allow any other access.
 +
 +Not sure why, but we need protocols 0x800 and 0x806 (IPv4 and ARP) specifically allowed to the router or this will not work. You can still access from //manage// but not over a VPN connection. Still researching that.
  
  
Line 27: Line 35:
 ebtables -A FORWARD -s 00:16:3e:37:26:72 -d 00:16:3e:6b:26:70 -j ACCEPT ebtables -A FORWARD -s 00:16:3e:37:26:72 -d 00:16:3e:6b:26:70 -j ACCEPT
 # not sure why, but we need these two protocols usable # not sure why, but we need these two protocols usable
-ebtables -A FORWARD -s 00:16:3e:6b:26:70 -p 800 -j ACCEPT +ebtables -A FORWARD -s 00:16:3e:6b:26:70 -p 0x800 -j ACCEPT 
-ebtables -A FORWARD -s 00:16:3e:6b:26:70 -p 806 -j ACCEPT+ebtables -A FORWARD -s 00:16:3e:6b:26:70 -p 0x806 -j ACCEPT
 # Drop all other traffic where Win10 is the source # Drop all other traffic where Win10 is the source
 ebtables -A FORWARD -s 00:16:3e:6b:26:70 -j DROP --log ebtables -A FORWARD -s 00:16:3e:6b:26:70 -j DROP --log
Line 36: Line 44:
 ebtables -L ebtables -L
 </code> </code>
 +
 +===== Links =====
 +  - https://superuser.com/questions/423276/what-does-type-ip-0x0800-in-the-ethernet-ii-part-of-a-ping-packet-mean
 +  - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=39fec5ae-d06b-4c65-8b26-da0b35f530fc
 +  - https://sbarjatiya.com/notes_wiki/index.php/Basic_ebtables_configuration
 +  - http://ebtables.netfilter.org/
 +  - https://linux.die.net/man/8/ebtables
 +  - 
unix/virtualization/kvm/ebtables.txt · Last modified: 2022/07/23 01:33 by rodolico