Re: [pve-devel] RFC : iptables implementation

Thu, 23 Jan 2014 23:00:14 -0800 

>>That is the other direction? I talk about OUTPUT from HOST into VM 

I wanted to say,that connection can't be established because the return packet 
is blocked in input.
But indeed, they are incoming packets from host to tap.
(I have tested with ping and ssh from host to guest , I never get response if I 
filter INPUT)


>> Jan 24 06:49:18 kvmtest1 kernel: [318034.190051] ALLTRAFFICOUTPUT: IN= 
>>> OUT=vmbr1 SRC=10.3.94.31 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00 
>>> TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7239 SEQ=21 
>>
>>exactly. What if I want to block that? 

only way is to block dst ip in OUTPUT, but we need to known the guest ip


>>If you have several bridges with assigned IPs, traffic can be routed from one 
>>VM to another VM on different bridge. This will bypass all your firewall 
>>rules!

I'll test that today


----- Mail original ----- 

De: "Dietmar Maurer" <diet...@proxmox.com> 
À: "Alexandre DERUMIER" <aderum...@odiso.com> 
Cc: "pve-devel" <pve-devel@pve.proxmox.com> 
Envoyé: Vendredi 24 Janvier 2014 07:05:03 
Objet: RE: [pve-devel] RFC : iptables implementation 

> >>The problem is that all routed traffic from HOST to VM is allowed. So 
> >>a good test would be trying to block something. 
> 
> yes, but return packet (tap-->input) is blocked, so you can't established a 
> connection 


> iptables -A INPUT -m physdev --physdev-in tap115i0 -j DROP 
> 
> or 
> 
> iptables -A INPUT -m mac --mac-source 32:36:8A:E1:B5:65 -j DROP 

That is the other direction? I talk about OUTPUT from HOST into VM 

> 
> host : 10.3.94.31 
> guest : 10.3.94.201 
> 
> #ping 10.3.94.201 
> 
> host---->tap : allowed 
> Jan 24 06:49:18 kvmtest1 kernel: [318034.190051] ALLTRAFFICOUTPUT: IN= 
> OUT=vmbr1 SRC=10.3.94.31 DST=10.3.94.201 LEN=84 TOS=0x00 PREC=0x00 
> TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7239 SEQ=21 

exactly. What if I want to block that? 

If you have several bridges with assigned IPs, traffic can be routed from one 
VM to another VM on different bridge. This will bypass all your firewall rules! 
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to