best way to secure vm networks - vlans - bridges

F

felipe

Well-Known Member
Oct 28, 2013
222
6
58
hi,

i want to have a simple way to secure some virtual machines without using too many firewall rules.
for example having vmbr33 where i have the firewall rule only to route the 192.168.33.X net.
as i allready defined a vmbr0 with eth0 and vmbr1 with eth1 i cannot define more bridges connected directly to the network. (or use the same eth0 again)
is it possible to work with vlans in proxmox?

iface vlan111 inet static
vlan_raw_device eth0

iface vmbr33 inet static
address 192.168.33.1
netmask 255.255.255.0
bridge_ports eth0.111

and then just add an firewall rule for vmbr33

the hard way would be to firewall all tap devices tap113i0 but for lots of machines a lot of work.. and a lot of firewall rules....


thank you
philipp
 
hi,

thanks. but it seems that with this solution i allways need vlan tags from switch. (at the moment i dont have the possibility to do this - waiting for new switches next year)
is there any way to make a virtual switch to where i can add the tap'S of the vmaschines and make one single firewall rule for all tap devices?
i have allready eth0 & eth1 configured as vmbr0 & vmbr1 - i would like to have some kind of vmbr33 which only accepts traffic from 192.168.33.X net to the gateway 192.168.33.1 - without nat because the gateway is allready nating to the outside world....

best regards
philipp
 
Without a router you have to use NAT. You can create a bridge using vlans which is bound to either eth0 or eth1 and the use iptables to route traffic from this bridge to the outside world.

iface vmbr33 inet manual
bridge_ports eth0.33

Assumption eth0 is bound to vmbr0.
VM's in vmbr33 uses 192.168.3.0/24

iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o vmbr0 -j MASQUERADE
iptables -A FORWARD -i vmbr0 -o vmbr33 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i vmbr33 -s 192.168.3.0/24 -o vmbr0 -j ACCEPT
iptables -A FORWARD -i vmbr33 -j DROP
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back