General user-mode-linux networking question

At home I use virtual servers as "bastion hosts". So my web server is on one vhost, the mail server on another, and so on. Up until now I've been using vserver but I'm migrating to a newer bigger machine and don't want to deal with maintaining my own host kernel, which might cause host OS interaction issues. So I'm wanting to rebuild using UML.

I've mostly got it working, but I'm not happy with the security of the networking.

I've tried using tuntap thus:

brctl addif br0 eth0
ifconfig br0 10.10.10.100 up
int=`tunctl -b`
brctl addif br0 $int
linux .... eth0=tuntap,$int ....

This works and the UML can set an IP address and sees the network. BUT.. the vhost decides on the IP address. If someone did manage to break into the vhost then they could disrupt other servers by changing IP address.

I looked at http://user-mode-linux.sourceforge.net/ … rking.html">http://user-mode-linux.sourceforge.net/old/networking.html but none of the options there appear to work well… OR I'm making a mistake!

Does anyone know a secure way of forcing the client to have a specific IP address on a bridged network?

Thanks!

4 Replies

Short answer: ebtables to filter MAC, ARP and IPv4.

-Chris

ebtables? Hmm, never heard of that… googlegooglegoogle. Ah, filtering at the ethernet level.

Interesting.

Do we need to go to that level, or could we use iptables "physdev" module, as described in http://www.linuxjournal.com/comment/reply/9421 ?

eg

iptables -A FORWARD -m physdev --physdev-in tap0 -s ! 10.1.1.10 -j DROP

Or does that still leave me open to spoofing?

Otherwise, could I bug you for a longer answer on how to use ebtables? Thanks!

( silly question deleted… that didn't work )

Hmm, the obvious command didn't work. A tcpdump on the host shows that's cos it doesn't allow ARP to work (lots of "who is" requests). But this seems to work:

ebtables -A FORWARD -i tap0 --among-src E6:EF:3B:43:11:11=10.0.0.250 -j ACCEPT
ebtables -A FORWARD -i tap0 -j DROP

Quick tests seem to mean that if the guest tries to change MAC or IP addresses then traffic out is blocked. So this looks good.

Am I missing anything else?

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct