I'm trying to accomplish what I had hoped would be a fairly simple
filtering of traffic to my VMs, but I'm hitting a snag. The VMs are
allowing traffic when I wouldn't expect them to.
Host and Guest are both running the same platform:
Ubuntu 12.04.4 LTS
0.9.8-2ubuntu17.19
I have a basic bridge enabled on the host:
brctl addbr brdg
brctl addif brdg eth1
ip link set brdg up
The host has iptables support:
root@host:~# lsmod | grep filt
ip6table_filter 12815 0
ip6_tables 27864 2 ip6table_filter,xt_TPROXY
iptable_filter 12810 1
ip_tables 27473 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
x_tables 29891 52
ebt_arp,ebt_ip,ip6table_filter,ebtables,xt_time,xt_connlimit,xt_realm,xt_addrtype,iptable_raw,xt_comment,xt_recent,xt_policy,ipt_ULOG,ipt_REJECT,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ipt_ECN,ipt_ecn,ipt_CLUSTERIP,ipt_ah,xt_set,xt_TPROXY,ip6_tables,xt_tcpmss,xt_pkttype,xt_physdev,xt_owner,xt_NFQUEUE,xt_NFLOG,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_iprange,xt_helper,xt_hashlimit,xt_DSCP,xt_dscp,xt_dccp,xt_conntrack,xt_connmark,xt_CLASSIFY,xt_AUDIT,ipt_LOG,xt_tcpudp,xt_state,iptable_nat,iptable_mangle,iptable_filter,ip_tables
Guest network using bridge:
<interface type='bridge'>
<mac address='00:11:22:33:44:55'/>
<source bridge='brdg'/>
<model type='virtio'/>
<filterref filter='outbound-only'/>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x03' function='0x0'/>
</interface>
<filter name='outbound-only' chain='root'>
<uuid>0c834381-402c-faf3-019f-eb5a40ea6b61</uuid>
<filterref filter='allow-arp'/>
<filterref filter='allow-dhcp'/>
<filterref filter='qemu-announce-self'/>
<filterref filter='no-other-l2-traffic'/>
</filter>
My goal is to allow the guest to reach the internet, but not allow the
internet or other guests to reach this guest. I realize this config
is not sufficient for that, but I can't get any farther until I
understand the current behavior. From the look of the config, this
should essentially not be allowing anything except arp and dhcp. And
yet, the host has full connectivity. I can run apt-get update on the
VM, I can ping the VM from other nodes in my network, etc. It's
basically wide-open. So either one of the included rules is not
working as advertised, or I'm misunderstanding some feature of the
filtering process.
Any pointers would be appreciated. Thanks