[libvirt-users] Isolate VMs' network

All, I'm trying to setup a network with some virtual machines, that can connect to each other and to the internet, but neither to the host nor to other VMs. Is there any preconfigured network filter or best-practice for this setup? Of course, I could setup iptables rules on the host, but I'd prefer libvirt to handle them. - Chris

Hi there! I would like to know the same! Currently I am using iptables to do it. Thanks. 2017-06-05 8:58 GMT-03:00 Chris <chris2014@postbox.xyz>:
All,
I'm trying to setup a network with some virtual machines, that can connect to each other and to the internet, but neither to the host nor to other VMs.
Is there any preconfigured network filter or best-practice for this setup? Of course, I could setup iptables rules on the host, but I'd prefer libvirt to handle them.
- Chris
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users

Hi Timo, Could you please show me a rule example that you are using? Thank you. Thiago 2017-06-05 10:48 GMT-03:00 Timo Juhani Lindfors <timo.lindfors@iki.fi>:
Hi,
Thiago Oliveira <cpv.thiago@gmail.com> writes:
I would like to know the same! Currently I am using iptables to do it.
I use ebtables.
-Timo
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users

Thiago Oliveira <cpv.thiago@gmail.com> writes:
Could you please show me a rule example that you are using?
Here are some rules I'm using on a development VM. I think most of the ideas come from the ebtables rules used by libvirt itself. These just prevent IP spoofing. After this you can use IP addresses for access control much better. ebtables -t nat -A PREROUTING -i dev-home -j i-dev ebtables -t nat -A POSTROUTING -o dev-home -j o-dev ebtables -t nat -A i-dev -p IPv4 -j i-dev-ipv4 ebtables -t nat -A i-dev -p ARP -j i-dev-arp ebtables -t nat -A i-dev -j DROP ebtables -t nat -A o-dev -p IPv4 -j o-dev-ipv4 ebtables -t nat -A o-dev -p ARP -j o-dev-arp ebtables -t nat -A o-dev -j DROP ebtables -t nat -A i-dev-ipv4 -s ! [CENSORED] -j DROP ebtables -t nat -A i-dev-ipv4 -p IPv4 --ip-src ! [CENSORED] -j DROP ebtables -t nat -A i-dev-ipv4 -p IPv4 --ip-dst ! [CENSORED] -j DROP ebtables -t nat -A o-dev-ipv4 -p IPv4 --ip-src ! [CENSORED] -j DROP ebtables -t nat -A o-dev-ipv4 -j ACCEPT ebtables -t nat -A i-dev-arp -s ! [CENSORED] -j DROP ebtables -t nat -A i-dev-arp -p ARP --arp-mac-src ! [CENSORED] -j DROP ebtables -t nat -A i-dev-arp -p ARP --arp-ip-src ! [CENSORED] -j DROP ebtables -t nat -A i-dev-arp -p ARP --arp-op Request -j ACCEPT ebtables -t nat -A i-dev-arp -p ARP --arp-op Reply -j ACCEPT ebtables -t nat -A i-dev-arp -j DROP ebtables -t nat -A o-dev-arp -p ARP --arp-op Reply --arp-mac-dst ! [CENSORED] -j DROP ebtables -t nat -A o-dev-arp -p ARP --arp-ip-dst ! [CENSORED] -j DROP ebtables -t nat -A o-dev-arp -p ARP --arp-op Request -j ACCEPT ebtables -t nat -A o-dev-arp -p ARP --arp-op Reply -j ACCEPT ebtables -t nat -A o-dev-arp -j DROP -Timo

On Mon, Jun 05, 2017 at 01:58:26PM +0200, Chris wrote:
All,
I'm trying to setup a network with some virtual machines, that can connect to each other and to the internet, but neither to the host nor to other VMs.
Is there any preconfigured network filter or best-practice for this setup? Of course, I could setup iptables rules on the host, but I'd prefer libvirt to handle them.
This can be done with the libvirt nwfilter APIs/commands, which will automate the create/teardown of ebtables rules at vm start/stop. You would have to ensure VMs get fixed IP addresses, and then define some rules that block the VM subnet, except for whitelisted entries, as well as blocking the host IP, but leaving other stuff open (to allow internet access). Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

Hi Chris, for all kinds of network configuration together with virtual machines anf libvirt/QEMU I use openvswitch. libvirt together with openvswitch make it veryeasy to handle. Best regards Holger Am 05.06.2017 um 13:58 schrieb Chris:
All,
I'm trying to setup a network with some virtual machines, that can connect to each other and to the internet, but neither to the host nor to other VMs.
Is there any preconfigured network filter or best-practice for this setup? Of course, I could setup iptables rules on the host, but I'd prefer libvirt to handle them.
- Chris
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users
--- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus

Chris wrote:
I'm trying to setup a network with some virtual machines, that can connect to each other and to the internet, but neither to the host nor to other VMs.
Thank you for your replies. Unfortunately, I didn't mention, that I'd like to be able to test malicious software, so my network filtering shouldn't depend on the guests' IP addresses. I think I have to setup a new virtual "virus" interface and configure iptables on the host for this interface. Is this possible? - Chris

On Tue, Jun 06, 2017 at 08:50:45PM +0200, Chris wrote:
Chris wrote:
I'm trying to setup a network with some virtual machines, that can connect to each other and to the internet, but neither to the host nor to other VMs.
Thank you for your replies. Unfortunately, I didn't mention, that I'd like to be able to test malicious software, so my network filtering shouldn't depend on the guests' IP addresses. I think I have to setup a new virtual "virus" interface and configure iptables on the host for this interface. Is this possible?
You can use the network filters to setup antispoofing protection for both IP addresses and MAC addresses. In fact this is what the "clean-traffic" example filter libvirt provides will do for you. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

Daniel, Are you talking about XML? If yes, could please show us an example? Thank you. Thiago 2017-06-06 18:03 GMT-03:00 Daniel P. Berrange <berrange@redhat.com>:
Chris wrote:
I'm trying to setup a network with some virtual machines, that can connect to each other and to the internet, but neither to the host nor to other VMs.
Thank you for your replies. Unfortunately, I didn't mention, that I'd
On Tue, Jun 06, 2017 at 08:50:45PM +0200, Chris wrote: like
to be able to test malicious software, so my network filtering shouldn't depend on the guests' IP addresses. I think I have to setup a new virtual "virus" interface and configure iptables on the host for this interface. Is this possible?
You can use the network filters to setup antispoofing protection for both IP addresses and MAC addresses. In fact this is what the "clean-traffic" example filter libvirt provides will do for you.
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/ dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/ dberrange :|
_______________________________________________ libvirt-users mailing list libvirt-users@redhat.com https://www.redhat.com/mailman/listinfo/libvirt-users

On Tue, Jun 06, 2017 at 11:37:27PM -0300, Thiago Oliveira wrote:
Daniel,
Are you talking about XML? If yes, could please show us an example?
<domain> ... <devices> .... <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'/> </interface> .... </devices> ... </domain> There is quite alot more info here: http://libvirt.org/formatnwfilter.html http://libvirt.org/firewall.html Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

Hi Daniel, I added the option <filterref filter='clean-traffic'/> and my VM stop to ping the gateway and the others VM's in the same host. I would like to prevent that VM's in differents subnets can ping or spoof others VM's. Each subnet is related with a customer and I would like to separete the traffic like VLAN does. Is this possible with some options in xml ? Thank you very much. Thiago 2017-06-07 5:25 GMT-03:00 Daniel P. Berrange <berrange@redhat.com>:
On Tue, Jun 06, 2017 at 11:37:27PM -0300, Thiago Oliveira wrote:
Daniel,
Are you talking about XML? If yes, could please show us an example?
<domain> ... <devices> .... <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'/> </interface> .... </devices> ... </domain>
There is quite alot more info here:
http://libvirt.org/formatnwfilter.html http://libvirt.org/firewall.html
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/ dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/ dberrange :|

Daniel P. Berrange wrote:
<filterref filter='clean-traffic'/>
There is quite alot more info here:
http://libvirt.org/formatnwfilter.html http://libvirt.org/firewall.html
Ok, clean-traffic! Good idea. I'll try this. - Chris
participants (5)
-
Chris
-
Daniel P. Berrange
-
Holger Schranz
-
Thiago Oliveira
-
Timo Juhani Lindfors