Ubuntu – Firewall on a KVM host, prevent access to VM:s

firewalliptableskvm-virtualizationnetworkingUbuntu

I have a Linux machine running KVM with several VM:s, all have public IP:s. For the time being I have everything routed through a bridge (br0) and this works well.

I also need a firewall on the host to restrict access to both the host and the VM:s, I guess we are talking about routing and iptables? I'm not that experienced with iptables/bridging/network stuff and need a point in the right direction.

Any recommendations?

Host: Ubuntu server 11.04, VM: Mixed, Linux and Windows

Best Answer

iptables can be set up to check bridge traffic. I usually disable it to improve performance, but you can do the opposite: /etc/sysctl.conf:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

If you set either of these to 1 instead of 0 you'll have the host iptables filtering the traffic for the bridge.

Another solution would be to stop using the bridge, and use libvirts' NAT implementation, which uses iptables as well

EDIT: since both ways are rather faulty IMO, I would run the firewalls in the guests themselves, leaving them on a normal bridged network. or, which would be even more proper, run a separate firewall appliance in front of the virtual infrastructure

Best Answer

Related Solutions

Ubuntu – Firewall configuration on Ubuntu KVM host

How to get the IP addresses of KVM guests that are using a Bridge Network Device from the KVM host

Related Topic