Home / server / Questions / 867255
Accepted
Waleed Hamra
Asked: 2017-08-08 03:09:20 +0800 CST

How to protect a bridge br0 interface?

  • 772

I have an Ubuntu server, acting as KVM host, and some virtual machines exposed to the net running under it.

The VMs have their own iptables rules, and they are networked via a direct bridge on the host, br0.

My question, is how should I deal with this bridge in iptables on the host. Do I consider it its own device and protect it as I would any interface? Is there something I should know, that might block traffic to the guests if I block it on the host? Or maybe write my rules to the original interface eno1?

My curent setup looks like this: (virbr0 is not used by any VM, vmnet0 is a running guest's network)

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet xxx.HOSTIP.xxx  netmask 255.255.255.0  broadcast 62.210.172.255
        inet6 fe80::d6ae:52ff:fece:993a  prefixlen 64  scopeid 0x20<link>
        inet6 xxx:HOSTIPv6::xxx  prefixlen xx  scopeid 0x0<global>
        ether d4:ae:52:ce:99:3a  txqueuelen 1000  (Ethernet)
        RX packets 753413  bytes 59239171 (59.2 MB)
        RX errors 0  dropped 51  overruns 0  frame 0
        TX packets 115967  bytes 17911763 (17.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether d4:ae:52:ce:99:3a  txqueuelen 1000  (Ethernet)
        RX packets 993041  bytes 303457181 (303.4 MB)
        RX errors 0  dropped 599  overruns 0  frame 0
        TX packets 151299  bytes 22226710 (22.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 182799  bytes 19199389 (19.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 182799  bytes 19199389 (19.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:3c:92:cf  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:fe00:825e  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:00:82:5e  txqueuelen 1000  (Ethernet)
        RX packets 25390  bytes 2725539 (2.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 683484  bytes 266619773 (266.6 MB)
        TX errors 0  dropped 16075 overruns 0  carrier 0  collisions 0
iptables

1 Answers

  1. Best Answer

    This mostly is a question of how much you trust your guest systems. As long as you don't mess with the FORWARD table beyond the basics for whatever routing you're doing, you should be fine doing just about anything you reasonably would on a regular interface. In most cases, it's generally a better idea to just lock down the interface like you would any other, then add exceptions as-needed (ideally documenting each), but if you absolutely trust your guest systems, there's no inherent harm in not locking it down.

    • 1