I have 2 VMs Running on KVM hosts. I run a web server on one and use the other for experimental stuff - basically just use ssh on it.
I want to block all incoming connections on all ports except on port 80 on the web server VM and want to block all ports except a specific port which I use for ssh on the other VM.
I know I can use the iptables on the VMs themselves. But I want to do this using the KVM hosts. I want to do this for 2 major reasons,
- Going forward I might be handing the VMs to someone else.
- I might be adding more VMs and want to control the access from outside the VMs and not depend on the users of the VMs to handle it.
I have never done this and was trying out things.
I have been looking at virsh from here.
I was trying out the The network filter driver part.
I created a rule using the below xml to block all tcp ports between 0 and 1023,
<filter name='no-spamming' chain='root'>
<uuid>d217f2d7-5a04-0e01-8b98-ec2743436b74</uuid>
<rule action='drop' direction='in' priority='500'>
<tcp match='yes' srcportstart='0' srcportend='1023'/>
</rule>
</filter>
And then I used virsh edit and added the marked line in the xml.
<interface type='ethernet'>
<mac address='52:54:00:33:b8:c7'/>
<script path='no'/>
<target dev='tap0'/>
<model type='virtio'/>
<filterref filter='no-spamming'/> <-- Added this line
<boot order='2'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
Even After this I could access port 80 on both the VMs.
Can someone please point out where I am going wrong or suggest an alternative to virsh that can be used to achieve this please ?
EDIT
I followed the suggestions in this answer and changed the srcportstart to dstportstart and srcportend to dstportend.
But I am still able to ssh on port 22 to both the VMs.
