Configure IPTables on KVM host to block guest bridge traffic

Question

I am working on a thesis research project, and I am having some difficulty figuring out how to get iptables (running on the KVM host) to block traffic (or rather, manipulate traffic) destined for a BRIDGED KVM guest. I am unable to get the iptables entries (pasted below) to block traffic to and from the VM's.

Effectively, I would like my host system to act as a firewall for those guest VM's, and for the time being, I would like to test this capability by simply dropping all packets that is destined for a specific VM. In the not-so-distant future, I would also like to implement more granular controls, and even have a proxy involved. Again, this should happen entirely at the HOST level, and not at the GUEST level.

I am running CentOS 6, and based on another question that I wrote: Use one NIC to create multiple interfaces for Linux KVM, I have the following interfaces configured:

eth0
br0
tap0

Below is my network setup scripts for each interface:

eth0's Configuation:

DEVICE="eth0"
BOOTPROTO="none"
NM_CONTROLLED="no"
ONBOOT=yes
TYPE="Ethernet"
UUID="<<UUID-HERE>>"
HWADDR=<<MAC-ADDR-HERE>>
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"
BRIDGE="br0"

br0's Configuration:

DEVICE="br0"
TYPE="Bridge"
ONBOOT="yes"
BOOTPROTO="dhcp"
DELAY=0

tap0's Configuration:

DEVICE="tap0"
TYPE="Tap"
BRIDGE="br0"
ONBOOT="yes"

I have a CentOS 6 VM running and it is configured to utilize the tap0 bridged interface. Networking on the VM is working properly. No other changes to the host system were made.

Below are the non-functioning iptables rules that I added to the FORWARD chain (it is worth noting that I am not a huge expert on iptables yet).

sudo iptables -I FORWARD -i any -o tap0 -j DROP
sudo iptables -I FORWARD -i tap0 -o any -j DROP

After running the commands, the FORWARD table looks like this:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  tap0   any     anywhere             anywhere            
    0     0 DROP       all  --  any    tap0    anywhere             anywhere            
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited 

Unfortunately, this does not block the traffic. I don't understand why this would not work.

UPDATE: 11/25/2014: It's been a while since I last updated this. As it turns out, iptables has the physdev plugin, which is actually what I successfully use in my research and is more flexible then ebtables.

Answer 1

Make sure you understand the networking basics involved here. A bridge is a switch and operates at Layer 2. Your iptables rules apply to Layer 3 and will not be passed at this level.

Look into ebtables and specify Layer 2 rules there - or - disable the use of bridges altogether and move to a routed setup in which all traffic is passed through the host at Layer 3. Not sure if the latter option is possible using Libvirt/KVM.

Answer 2

If you do:

echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

it will enable netfilter on bridges and then you can set up iptables rules on the FORWARD chain to affect packets going to/from the virtual machines via the bridge interface.

To make it permanent on reboot:

edit /etc/sysctl.conf and set net.bridge.bridge-nf-call-iptables = 1

https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

Although the wiki says it's not desirable to do this, I have been doing this for years. It allows me to set up blacklists and other iptables/ipset rules on the FORWARD chain that work globally for all VMs. It works just fine on moderately loaded servers.