Re: filter network traffic of KVM guests.
Hi.
On Thu, May 17, 2018 at 08:11:06PM +0200, Chris wrote:
> All,
>
> I'd like to filter network traffic of KVM guests.
>
> case A:
> - no MAC / IP Spoofing
> - isolate guest, connections to the gateway only
> - no connection to the KVM host
> - no NAT
> - maybe contradictory: same subnet as KVM host
Either ebtables (for a conventional brigde) or macvtap in private mode
will do it. Openvswitch will work too, but it's nowhere near in
simplicity compared to macvtap.
> case B:
> - no MAC / IP Spoofing
> - isolate guest, connections to the gateway only
> - no connection to the KVM host
> - no NAT
> - some guests should share a "private VLAN"
Ditto, but combine private macvtap with external reflector switch.
> What's the easiest way to separate KVM guests' traffic on the host?
>
> I read it's deprecated to use iptables on a linux bridge. [1]
Yup, you should not. Besides, iptables is for IP-based protocols anyway.
There are ebtables if you really need to deal with the bridges.
> I don't like the libvirt (NAT) iptables rules. The default libvirt
> network connections aren't secure the way they are pre-configured.
> A good summary is in [2] (German only).
It's designed with desktop vitualization in mind, so it's no wonder it's
unsuitable for anything even remotely looking like a server :).
> Is Open vSwitch a viable solution? Can OVS ACLs (or firewall) be used
> instead of iptables?
You got it wrong. If you're implementing openvswtich, you *have* to
utilize its flows instead of iptables. Openvswitch bypasses netfilter by
design.
Reco
Reply to: