Hi.

On Thu, May 17, 2018 at 08:11:06PM +0200, Chris wrote:
> All,
> 
> I'd like to filter network traffic of KVM guests.
> 
> case A:
> - no MAC / IP Spoofing
> - isolate guest, connections to the gateway only
> - no connection to the KVM host
> - no NAT
> - maybe contradictory: same subnet as KVM host

Either ebtables (for a conventional brigde) or macvtap in private mode
will do it. Openvswitch will work too, but it's nowhere near in
simplicity compared to macvtap.


> case B:
> - no MAC / IP Spoofing
> - isolate guest, connections to the gateway only
> - no connection to the KVM host
> - no NAT
> - some guests should share a "private VLAN"

Ditto, but combine private macvtap with external reflector switch.

> What's the easiest way to separate KVM guests' traffic on the host?
> 
> I read it's deprecated to use iptables on a linux bridge. [1]

Yup, you should not. Besides, iptables is for IP-based protocols anyway.
There are ebtables if you really need to deal with the bridges.


> I don't like the libvirt (NAT) iptables rules. The default libvirt
> network connections aren't secure the way they are pre-configured.
> A good summary is in [2] (German only).

It's designed with desktop vitualization in mind, so it's no wonder it's
unsuitable for anything even remotely looking like a server :).


> Is Open vSwitch a viable solution? Can OVS ACLs (or firewall) be used 
> instead of iptables?

You got it wrong. If you're implementing openvswtich, you *have* to
utilize its flows instead of iptables. Openvswitch bypasses netfilter by
design.

Reco

Reply via email to