Discussion:
Security validity of iptables in multi bridge environment.
(too old to reply)
Stewart Middleton
2012-08-08 17:27:27 UTC
Permalink
I am hoping someone can advise on the potential security (or otherwise)
of the following setup.

Goal: The host is a rented dedicated server with a single physical
interface, that will be hosting a series of KVM based, virtualised
hosts. I want to be able to segregate the hosts at a network level, and
filter traffic between segregated groups, groups and the outside world &
groups and a VPN. At this stage I am not looking to filter between hosts
within each group, though I will probably look at that down the line,
presumably with ebtables if enforcing from the host.

Environment:

Distro: Debian Squeeze
Kernel: 2.6.32-5

Present Config:

eth0 - physical interface on the server
tun0 - OpenVPN device
br0 - bridge with /24 private ipaddress/subnet
br1 - bridge with /24 private ipaddress/subnet
..
brn - bridge with /24 private ipaddress/subnet

A series of KVM virtual guests who's virtual interface is connected to
one of the bridges.

The traffic is then routed by the host between eth0, tun0 and the bridge
interfaces and subsequently the guests, filtered (and NAT'd in the case
of public outbound) by an iptables ruleset running on the host.

On the face of it, this seems to work as intended, but reading around
there appear to security issues with this approach involving global
iptables processing - e.g.:

http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/liaatkvmsecnetfilter.htm

So i would be interested in any advice in terms of:

1) Is the IBM info outdated?
2) Irrespective are there other network security issues with the
approach I have taken
3) Any suggestions on a better way to approach this (tho appreciate that
may well be for another mailing list)

Many thanks,
Stewart.



--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Jan Engelhardt
2012-08-08 17:39:55 UTC
Permalink
Post by Stewart Middleton
http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/liaatkvmsecnetfilter.htm
"""Netfilter, although allowing the use of iptables to create layer 3
filtering rules, is also seen as a security risk for guest isolation because
Netfilter processing sometimes occurs on a global context (without
distinction of a source layer 2 port). """
1) Is the IBM info outdated?
Yes it is. -j CT --zone and -m physdev should be used
to resolve the "problem".
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...