Stewart Middleton
2012-08-08 17:27:27 UTC
I am hoping someone can advise on the potential security (or otherwise)
of the following setup.
Goal: The host is a rented dedicated server with a single physical
interface, that will be hosting a series of KVM based, virtualised
hosts. I want to be able to segregate the hosts at a network level, and
filter traffic between segregated groups, groups and the outside world &
groups and a VPN. At this stage I am not looking to filter between hosts
within each group, though I will probably look at that down the line,
presumably with ebtables if enforcing from the host.
Environment:
Distro: Debian Squeeze
Kernel: 2.6.32-5
Present Config:
eth0 - physical interface on the server
tun0 - OpenVPN device
br0 - bridge with /24 private ipaddress/subnet
br1 - bridge with /24 private ipaddress/subnet
..
brn - bridge with /24 private ipaddress/subnet
A series of KVM virtual guests who's virtual interface is connected to
one of the bridges.
The traffic is then routed by the host between eth0, tun0 and the bridge
interfaces and subsequently the guests, filtered (and NAT'd in the case
of public outbound) by an iptables ruleset running on the host.
On the face of it, this seems to work as intended, but reading around
there appear to security issues with this approach involving global
iptables processing - e.g.:
http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/liaatkvmsecnetfilter.htm
So i would be interested in any advice in terms of:
1) Is the IBM info outdated?
2) Irrespective are there other network security issues with the
approach I have taken
3) Any suggestions on a better way to approach this (tho appreciate that
may well be for another mailing list)
Many thanks,
Stewart.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
of the following setup.
Goal: The host is a rented dedicated server with a single physical
interface, that will be hosting a series of KVM based, virtualised
hosts. I want to be able to segregate the hosts at a network level, and
filter traffic between segregated groups, groups and the outside world &
groups and a VPN. At this stage I am not looking to filter between hosts
within each group, though I will probably look at that down the line,
presumably with ebtables if enforcing from the host.
Environment:
Distro: Debian Squeeze
Kernel: 2.6.32-5
Present Config:
eth0 - physical interface on the server
tun0 - OpenVPN device
br0 - bridge with /24 private ipaddress/subnet
br1 - bridge with /24 private ipaddress/subnet
..
brn - bridge with /24 private ipaddress/subnet
A series of KVM virtual guests who's virtual interface is connected to
one of the bridges.
The traffic is then routed by the host between eth0, tun0 and the bridge
interfaces and subsequently the guests, filtered (and NAT'd in the case
of public outbound) by an iptables ruleset running on the host.
On the face of it, this seems to work as intended, but reading around
there appear to security issues with this approach involving global
iptables processing - e.g.:
http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/liaatkvmsecnetfilter.htm
So i would be interested in any advice in terms of:
1) Is the IBM info outdated?
2) Irrespective are there other network security issues with the
approach I have taken
3) Any suggestions on a better way to approach this (tho appreciate that
may well be for another mailing list)
Many thanks,
Stewart.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html