1

I am (very carefully) thinking of opening one of my VMs (all on KVM) to outside access. Currently, only via cloudflared tunnel, but it could change. For that, I need a way to definitely and securely block access from that specific VM to any and all hosts on the private network, just in case someone breaks in and gets root. That specific VM (let’s call it VM10) should only have access to the gateway, and from there to the Internet. At the same time, I want to be able to access that specific VM from an IP on the private network(s) for maintenance, backup, and further development. I am using bridges.

VM10 is connected via br1 and br2.

Br1 connects to the Internet. Br2 is a high speed private network.

On VM10, eth0 connects to br1 with IP 192.168.1.10 ; eth2 connects to br2 with IP 192.168.222.10

Anyone logged into VM10, even with root access, should only be able to reach 192.168.1.1, and the Internet beyond. Anyone logged into VM10, even with root access, should not be able to reach anything at all via eth2. Preferably, eth2 should not even show up when on is logged into VM10.

I do not want to do that with a firewall rule on VM10, because if someone gets root on VM10, the firewall will be down in seconds.

I do not want to do it with firewall rules in boxes on the private networks, because it is a hassle, an easily overlooked. I want to stick something into the XML of VM10, and be done with it.

For VM10:

  • Allow ingress and egress to/from 192.168.1.1 and the Internet.
  • Disallow egress to any other ips on br1. Allow ingress.
  • Disallow egress to all ips on br2. Allow ingress.
  • Do this in a way so that it cannot be changed by a root user logged into VM10

I think libvirt's network filters can do that, but I am afraid their documentation is too dense a subject for my old head.

Could a kind soul help out? Possibly, with a complete rule?

Thank you.

Bertel
  • 11
  • 1
  • Directly implementing what you want is impossible. I though about network namespaces, but that's still not bulletproof. What you need actually is called DMZ. You put your VM10 into DMZ and have all the internetwoking security implemented via the gateway with at least three IP interfaces (WAN, LAN and DMZ). The gateway itself should be is properly secured, but that's another topic. – Nikita Kipriyanov Dec 30 '21 at 16:31
  • I'm sorry, DMZ is very bad advice. Usually, the only thing you should point your DMZ at (if you insist) is a honeypot. Pointing the DMZ at VM10 does not solve any of the above, except creating headaches. – Bertel Dec 30 '21 at 17:24
  • Pardon me, "pointing"? DMZ is not a thing that could be "pointed". You seem to think of DMZ as a "catch-all destination", but this is totally wrong. The [DMZ](https://en.wikipedia.org/wiki/DMZ_(computing)) is a network area which is partially accessible from the Internet, accessible from the LAN, but LAN is inaccessible from it. You are essentially trying to reinvent the same concept, but with inappropriate tools and contradictory requirements. I just suggested an appropriate, industry standard tool. – Nikita Kipriyanov Dec 30 '21 at 18:25
  • According to the all-knowing Wikipedia, "In computer security, a DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet." So if I would point the DMZ entry in my router at VM10's 192.168.222.10, any and all traffic would be sent to 192.168.222.10 ... at least where I grew up. Again, extremely bad, even dangerous advice. – Bertel Dec 30 '21 at 21:28
  • Don't you see the obvious disrepancy between at least Wikipedia definition and the fact your router has "a DMZ entry"? This is wrong. DMZ is a whole network segment (or several). The router you mentioned calls a "catch-all destination" a DMZ, which is wrong and contradicts the definition of DMZ. In other words, what is "DMZ" in your router is not a true DMZ, but some kind of grimmik. Also, read the whole article, please, that's a good introduction into what it is, and you'll see it is essentially about you are going to implement. I'll say it again: you are reinventing DMZ in your question. – Nikita Kipriyanov Dec 31 '21 at 06:46
  • Also notice various network implementation of DMZs as [diagrams](https://www.google.com/search?q=dmz&tbm=isch&source=iu&ictx=1). None of them suggest a possibility to have a single entry in the router and call that a DMZ. – Nikita Kipriyanov Dec 31 '21 at 06:52
  • I give up, you are absolutely right. – Bertel Dec 31 '21 at 12:10

0 Answers0