Prevent hijacking IPs in a bridged network (KVM/libvirt)

Question

Is there a solution to prevent a VM user assign/use IP addresses he doesn't own but are routed over the same bridge like his own addresses? The current setup looks like this with libvirt and KVM:

              |---VM1 (IP 1)
Host ---> br0 |---VM2 (IP 2) 
              |---VM2 (IP 3)

or is the only solution to use a unique bridge for every VM?

score 3 · Accepted Answer · answered Nov 09 '13 at 17:10

3

You can use ebtables for this assuming you are assigning a mac to every VM on the host node.

http://ebtables.sourceforge.net/

This in simple terms locks it down by mac address and will only allow the VM's to use IP's specifically assigned to them.

answered Nov 09 '13 at 17:10

Backtogeek

577
2
6
14

Prevent hijacking IPs in a bridged network (KVM/libvirt)

1 Answers1