Linux.com

KVM network bridge iptables question

Link to this post 24 Jun 11

I have a Linux server that hosts KVM virtual machines.

eth0 for local network traffic has a static IP and has virtual bridge vbr0 for KVM virtual machines to use for local traffic

eth1 is setup with virtual bridge vbr1 only and doesn't have any IP, vbr1 is used to provide public interface to a KVM running a firewall distro. This firewall distro has the public IP address and also a private IP address on vbr0 that is the default gateway for all my other KVMs.

So my question: With eth1 not having an IP addresss are there any iptable rules that need to be setup on eth1 on the real server to protect from hacking attempts and are there any ways for people to gain access to the real host thru eth1 with it not having an IP?

Thanks,
Ernie

Link to this post 02 Dec 11

Hi Eshaffer,

TCP header need to supply destination IP address information in order for gateway to know where to route packet, apply translation if needed, and perform similar tasks. Since there is no ip address defined, there is no way for packet to even reach your interface, therefore socket cannot be opened to communicate with your system at application level.

But in case i missed something, this should do the job.

iptables -A INPUT -i eth1 -j DROP
iptables -A OUTPUT -i eth1 -j DROP

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board