Hi everyone,
I have a server (ubuntu 14.04 lts) running KVM with a few guests (each
with static IP addresses) which I manage using libvirt. This machine
has a wired interface (br0 / p2p1) connecting to my internal network and
a wireless interface using dhcp (ppp0) as a secondary direct connection
to the internet.
My goal is route all administration traffic for both the host and guests
through the wired interface (br0); while routing the service traffic,
and _only_ this traffic, through the ppp0 interface.
For example: One vm is a webserver and I wish to route all traffic on
ports 80 & 443 from ppp0 to that vm. Another vm is a mailserver and I
wish to route all the imap & pop traffic from ppp0 to that vm. At the
same time, I wish to be able to ssh in through the wired interface
(p2p1) and route all system maintenance traffic through the wired
interface as well. Additionally I wish to drop/reject incoming traffic
on ppp0 which is not on these specified ports.
Reading the libvirt documentation, I have found a section which very
nearly describes my needs:
http://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections
Unfortunately, I am unsure how to correcting modify the given examples
to meet my specific needs. To begin with, the examples assume a static
external IP, while mine is dynamic.
I think I would like to refer to interface by name (ppp0) or perhaps
create a secondary bridge (br1) with a static IP, the ppp0 included with
"bridge_prts ppp0" command, and then refer to the static IP of the new
bridge (br1).
Next, I don't see the correct mechanism which I could configure such
that all traffic coming in ppp0 which was not on the specified ports is
rejected/dropped and all administrative traffic, originating from both
the host and guests, is routed through the wired interface. I am
assuming that this also should be done through libvirt/virsh and not
directly through iptables.
If it matters, the wired interface connects to a router running
shorewall (and thus the server is in the "dmz" zone). The server itself
is not running shorewall or any other similar things. The router is
managing the primary connection to internet, which is distinct from the
secondary wireless interface on the server, it is connecting to a
different ISP.
If anyone could give me some advice or point me to some additional or
more relevant documentation/examples I would really, really appreciate it.
Thanks!