2

Let's assume the following configuration: a router that announces IP subnets and a few Proxmox-based KVM hosts. Each Proxmox-based virtualisation host runs multiple virtual servers managed by customers and each virtual server gets one or multiple IPs assigned.

How can I prevent that (miss-configured or evil) virtual server are announcing IPs which don't belong to their server?

The best idea I could come up with is to use iptables-firewall rules to block any traffic except incoming one with the correct destination address and outgoing one with the correct source address. That should work (but would also block any broadcast traffic I guess, thought that would be acceptable for that scenario). However, is there any better way to do that (without alterations at the routers)? What is the common practice for this problem?

miho
  • 232
  • 5
  • 13

2 Answers2

2

IPTables cannot block DHCP traffic, as it uses packet filters which tie into the IP stack, before the firewall. This link talks about CentOS, however the principle is the same.

If you're another customer on these hosts, raise an urgent support ticket with your provider's NOC indicating a rogue DHCP server on the network and they should (if they're doing their job properly) jump on it fairly quickly. If this is your hardware these VMs are running on and you don't have access to the VM broadcasting, I'd disable networking on the and have the customer connect via console to resolve the issue.

Christopher H
  • 368
  • 2
  • 18
1

After figuring out that iptables aren't the right fit for that, partly thanks to Christophers above answer for that info, I did some reading into ebtables, just to figure out that Proxmox has already built-in support for preventing IP spoofing.

All that's necessary is to add the following rule to each virtual machines firewall settings in Proxmox (see /etc/pve/firewall/<VMID>.fw files) and works with IPv4 and IPv6:

[IPSET ipfilter-net0]
1.2.3.4
2f1:2:3:4::1

That was already hidden in the official docs anyhow: see section IP Sets > Standard IP set ipfilter-net*

miho
  • 232
  • 5
  • 13