Thiago Oliveira <cpv.thiago@xxxxxxxxx> writes: > Could you please show me a rule example that you are using? Here are some rules I'm using on a development VM. I think most of the ideas come from the ebtables rules used by libvirt itself. These just prevent IP spoofing. After this you can use IP addresses for access control much better. ebtables -t nat -A PREROUTING -i dev-home -j i-dev ebtables -t nat -A POSTROUTING -o dev-home -j o-dev ebtables -t nat -A i-dev -p IPv4 -j i-dev-ipv4 ebtables -t nat -A i-dev -p ARP -j i-dev-arp ebtables -t nat -A i-dev -j DROP ebtables -t nat -A o-dev -p IPv4 -j o-dev-ipv4 ebtables -t nat -A o-dev -p ARP -j o-dev-arp ebtables -t nat -A o-dev -j DROP ebtables -t nat -A i-dev-ipv4 -s ! [CENSORED] -j DROP ebtables -t nat -A i-dev-ipv4 -p IPv4 --ip-src ! [CENSORED] -j DROP ebtables -t nat -A i-dev-ipv4 -p IPv4 --ip-dst ! [CENSORED] -j DROP ebtables -t nat -A o-dev-ipv4 -p IPv4 --ip-src ! [CENSORED] -j DROP ebtables -t nat -A o-dev-ipv4 -j ACCEPT ebtables -t nat -A i-dev-arp -s ! [CENSORED] -j DROP ebtables -t nat -A i-dev-arp -p ARP --arp-mac-src ! [CENSORED] -j DROP ebtables -t nat -A i-dev-arp -p ARP --arp-ip-src ! [CENSORED] -j DROP ebtables -t nat -A i-dev-arp -p ARP --arp-op Request -j ACCEPT ebtables -t nat -A i-dev-arp -p ARP --arp-op Reply -j ACCEPT ebtables -t nat -A i-dev-arp -j DROP ebtables -t nat -A o-dev-arp -p ARP --arp-op Reply --arp-mac-dst ! [CENSORED] -j DROP ebtables -t nat -A o-dev-arp -p ARP --arp-ip-dst ! [CENSORED] -j DROP ebtables -t nat -A o-dev-arp -p ARP --arp-op Request -j ACCEPT ebtables -t nat -A o-dev-arp -p ARP --arp-op Reply -j ACCEPT ebtables -t nat -A o-dev-arp -j DROP -Timo _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
