I have a Debian 11 server that is running several Qemu/KVM virtual machines ( not using libvirtd created purely with Qemu commands ), I've created a network bridge and each VM has its own TAP device connected to the bridge. Please consider that I know avoiding MAC spoofing is easily done in libvirtd via its network filters but I aim to configure it myself for my Qemu-created VMs. My real interface is called eth0, my bridge is called br0, and one of my VMs TAP devices connected to this bridge is called vm0.
What I want to do is that use nftables to drop all OUTPUT packets except for eth0 and br0 in the first place, and then allow OUTPUT packets of my TAP devices only if the source MAC address is the same as the actual MAC address I see in my ip -c a output that I've assigned myself while creating the VM, in other words, I want to avoid MAC spoofing on the VMs via nftables. In addition, I want to block SMTP ports.
I have already created some iptables and ebtables rules to achieve my desired outcome however after learning that nftables is a framework to replace both of them and that achieving such results is more efficient with it, I want to migrate these rules to nftables, however, I can't wrap my head around how to write these rules.
My rules are as follows:
iptables rules, originally learned from this post:
iptables -t filter -A FORWARD -m physdev --physdev-in vm1 --physdev-is-bridged -j 0-out
iptables -t filter -A 0-out -m mac ! --mac-source <SOME_MAC_ADDRESS> -j DROP
iptables -t filter -A 0-out -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
iptables -t filter -A 0-out ! -s <SOME_IP_ADDRESS> -j DROP
iptables -t filter -A 0-out -j RETURN
ebtables rules:
# OUTPUT rules
ebtables -A OUTPUT -p IPv4 -o vm0 --ip-protocol tcp --ip-sport 25 -j DROP
ebtables -A OUTPUT -p IPv4 -o vm0 --ip-protocol tcp --ip-sport 587 -j DROP
ebtables -A OUTPUT -p IPv4 -o vm0 --ip-protocol tcp --ip-sport 465 -j DROP
ebtables -A OUTPUT -p IPv4 -o vm0 --ip-protocol udp --ip-sport 25 -j DROP
ebtables -A OUTPUT -p IPv4 -o vm0 --ip-protocol udp --ip-sport 587 -j DROP
ebtables -A OUTPUT -p IPv4 -o vm0 --ip-protocol udp --ip-sport 465 -j DROP
# INPUT rules
ebtables -A INPUT -p IPv4 -i vm0 --ip-protocol tcp --ip-dport 25 -j DROP
ebtables -A INPUT -p IPv4 -i vm0 --ip-protocol tcp --ip-dport 587 -j DROP
ebtables -A INPUT -p IPv4 -i vm0 --ip-protocol tcp --ip-dport 465 -j DROP
ebtables -A INPUT -p IPv4 -i vm0 --ip-protocol udp --ip-dport 25 -j DROP
ebtables -A INPUT -p IPv4 -i vm0 --ip-protocol udp --ip-dport 587 -j DROP
ebtables -A INPUT -p IPv4 -i vm0 --ip-protocol udp --ip-dport 465 -j DROP
I know the combination of using both ebtables and iptables for the basically same reason is a bit unorthodox, this is because I am new to the whole thing and I wrote these rules learning from several sources, however, this is another reason to use nftables to unify them.
Any help is appreciated, either the ruleset syntax itself or hints and guides.
Many thanks in advance.
