unix:virtualization:kvm:ebtables
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
unix:virtualization:kvm:ebtables [2022/07/22 16:03] – created rodolico | unix:virtualization:kvm:ebtables [2022/07/23 01:33] (current) – rodolico | ||
---|---|---|---|
Line 3: | Line 3: | ||
I had a situation where I wanted to control access from one virtual to the others on the network. It could have been done via NAT, but the eventual goal is to have several virtual machines which can not " | I had a situation where I wanted to control access from one virtual to the others on the network. It could have been done via NAT, but the eventual goal is to have several virtual machines which can not " | ||
- | <code bash> | + | ebtables (http:// |
- | # this is the machine we want to restrict | + | |
- | Win10: | + | |
- | # this is the router | + | |
- | router: | + | |
- | # this is the one internal machine which may be reached | + | |
- | manage: | + | |
+ | Since a bridge forwards, the filtering is done under the FORWARD rule. | ||
+ | |||
+ | In this example, we are looking at three machines: | ||
+ | |||
+ | ^ Name ^ MAC ^ Description^ | ||
+ | | Win10 | 00: | ||
+ | | router | 00: | ||
+ | | manage | 00: | ||
+ | |||
+ | Win10 is a //virtual// inside our network. We need to be able to access it from //manage//, and also it needs to access the Internet via //router//. We also want to access //Win10// via RDP over VPN. However, //Win10// should not ' | ||
+ | |||
+ | ebtables works with MAC addresses, so we track the MAC's. The above MAC's are samples randomly chosen from those assigned for some forms of virtualization; | ||
+ | |||
+ | Basically, we add rules to allow access between //Win10// and //router//, and //Win10// and //manage//, then we add rules to not allow any other access. | ||
+ | |||
+ | Not sure why, but we need protocols 0x800 and 0x806 (IPv4 and ARP) specifically allowed to the router or this will not work. You can still access from //manage// but not over a VPN connection. Still researching that. | ||
+ | |||
+ | |||
+ | <code bash> | ||
# first, flush all tables (restore to default) | # first, flush all tables (restore to default) | ||
ebtables -F | ebtables -F | ||
Line 22: | Line 35: | ||
ebtables -A FORWARD -s 00: | ebtables -A FORWARD -s 00: | ||
# not sure why, but we need these two protocols usable | # not sure why, but we need these two protocols usable | ||
- | ebtables -A FORWARD -s 00: | + | ebtables -A FORWARD -s 00: |
- | ebtables -A FORWARD -s 00: | + | ebtables -A FORWARD -s 00: |
# Drop all other traffic where Win10 is the source | # Drop all other traffic where Win10 is the source | ||
ebtables -A FORWARD -s 00: | ebtables -A FORWARD -s 00: | ||
Line 31: | Line 44: | ||
ebtables -L | ebtables -L | ||
</ | </ | ||
+ | |||
+ | ===== Links ===== | ||
+ | - https:// | ||
+ | - https:// | ||
+ | - https:// | ||
+ | - http:// | ||
+ | - https:// | ||
+ |
unix/virtualization/kvm/ebtables.1658523799.txt.gz · Last modified: 2022/07/22 16:03 by rodolico