Hello, Tomasz Chmielewski a écrit : > I have a kvm host and two kvm guests running on it. > > kvm1 is assigned 1.2.3.4 IP with 11:22:33:44:55:66 MAC; uses vmtab107i0 bridged tap interface. > kvm2 is assigned 1.2.3.22 IP with AA:BB:CC:DD:EE:FF MAC. > > To prevent spoofing, I created these ebtables rules: > > # create a chain for kvm1 > ebtables -N vm107 > > # drop everything, unless it's accepted later > ebtables -P vm107 DROP > > # guest communication with the gateway > ebtables -A INPUT -i vmtab107i0 -j vm107 > ebtables -A OUTPUT -o vmtab107i0 -j vm107 Do you need to prevent spoofing by the host itself ? > # guest communication with the world > ebtables -A FORWARD -o vmtab107i0 -j vm107 > > # allow 1st IP with this MAC > ebtables -A vm107 -p IPv4 -s 11:22:33:44:55:66 --ip-src 1.2.3.4 -j ACCEPT I don't see how this rule would match anything in the OUTPUT chain. > ebtables -A vm107 -p IPv4 -d 11:22:33:44:55:66 --ip-dst 1.2.3.4 -j ACCEPT > > # allow broadcast traffic > ebtables -A vm107 -p IPv4 --ip-dst 1.2.3.64 -j ACCEPT Spoofing protection is about the source, not the destination, so these two rules are pointless. [...] > What anti-spoofing rules I need to have to prevent some kvm guests > pretending to be other kvm guests (or, even pretending to be "gateways")? Just create rules called from INPUT and FORWARD which match the input interface (bridge port) and the MAC and IP source address. ebtables -A INPUT -i vmtab107i0 -j vm107 ebtables -A FORWARD -i vmtab107i0 -j vm107 ebtables -A vm107 -p IPv4 -s 11:22:33:44:55:66 --ip-src 1.2.3.4 \ -j ACCEPT ebtables -A vm107 -p ARP -s 11:22:33:44:55:66 \ --arp-mac-src 11:22:33:44:55:66 --arp-ip-src 1.2.3.4 -j ACCEPT -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
