Differences

This shows you the differences between two versions of the page.

--- unix:virtualization:kvm:ebtables [2022/07/22 16:03] – created rodolico
+++ unix:virtualization:kvm:ebtables [2022/07/23 01:33] (current) – rodolico
@@ Line 3: / Line 3: @@
 I had a situation where I wanted to control access from one virtual to the others on the network. It could have been done via NAT, but the eventual goal is to have several virtual machines which can not "see" each other, and did now want to go building several virtual networks. So, I researched ebtables.
-<code bash>
+ebtables (http://ebtables.netfilter.org/) is a network filtering tool designed to work with Unix Bridges. Most (all?) virtualization software supports, and even recommends, using a network bridge.
-# this is the machine we want to restrict
-Win10:   00:16:3e:6b:26:70
-# this is the router
-router:  00:16:3e:bd:26:71
-# this is the one internal machine which may be reached
-manage:  00:16:3e:37:26:72
+Since a bridge forwards, the filtering is done under the FORWARD rule.
+In this example, we are looking at three machines:
+^ Name ^ MAC ^ Description^
+| Win10 | 00:16:3e:6b:26:70 | this is the machine we want to restrict |
+| router | 00:16:3e:bd:26:71 | this is the router |
+| manage | 00:16:3e:37:26:72 | this is the one internal machine which may be reached |
+Win10 is a //virtual// inside our network. We need to be able to access it from //manage//, and also it needs to access the Internet via //router//. We also want to access //Win10// via RDP over VPN. However, //Win10// should not 'see' anything else on our network.
+ebtables works with MAC addresses, so we track the MAC's. The above MAC's are samples randomly chosen from those assigned for some forms of virtualization; use your own MAC addresses.
+Basically, we add rules to allow access between //Win10// and //router//, and //Win10// and //manage//, then we add rules to not allow any other access.
+Not sure why, but we need protocols 0x800 and 0x806 (IPv4 and ARP) specifically allowed to the router or this will not work. You can still access from //manage// but not over a VPN connection. Still researching that.
+<code bash>
 # first, flush all tables (restore to default)
 ebtables -F
@@ Line 22: / Line 35: @@
 ebtables -A FORWARD -s 00:16:3e:37:26:72 -d 00:16:3e:6b:26:70 -j ACCEPT
 # not sure why, but we need these two protocols usable
-ebtables -A FORWARD -s 00:16:3e:6b:26:70 -p 800 -j ACCEPT
+ebtables -A FORWARD -s 00:16:3e:6b:26:70 -p 0x800 -j ACCEPT
-ebtables -A FORWARD -s 00:16:3e:6b:26:70 -p 806 -j ACCEPT
+ebtables -A FORWARD -s 00:16:3e:6b:26:70 -p 0x806 -j ACCEPT
 # Drop all other traffic where Win10 is the source
 ebtables -A FORWARD -s 00:16:3e:6b:26:70 -j DROP --log
@@ Line 31: / Line 44: @@
 ebtables -L
 </code>
+===== Links =====
+  - https://superuser.com/questions/423276/what-does-type-ip-0x0800-in-the-ethernet-ii-part-of-a-ping-packet-mean
+  - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=39fec5ae-d06b-4c65-8b26-da0b35f530fc
+  - https://sbarjatiya.com/notes_wiki/index.php/Basic_ebtables_configuration
+  - http://ebtables.netfilter.org/
+  - https://linux.die.net/man/8/ebtables