How can I prevent ip spoofing in KVM

H

harmonyp

Member
Nov 26, 2020
195
4
23
46
I am seeking advise on how I can first identify which virtual machine is causing this and second how can I prevent this from happening again. I presume it is IP spoofing

iftop: https://i.gyazo.com/a748cf88760eac99f61378d1830d83b9.png

The IPs on the left 118.107.171.x are not owned by me and the same can be said by the IPs on the right side

I have identified who is responsible for this but it's mainly due to this graph https://i.gyazo.com/73d4977292ed4b670b05b19f6ab40eeb.png without this I would like to know how I could identify the culprit.


VMs connect through vmbr0

Code: 
auto lo
iface lo inet loopback


iface eth0 inet dhcp


iface eth1 inet dhcp


iface eth2 inet dhcp


iface enp5s0f0 inet manual


iface enp5s0f1 inet manual


iface enp7s0f3u2u2c2 inet manual


auto vmbr0
iface vmbr0 inet static
        address 51.89.xxx.xxx/24
        gateway 51.89.xxx.254
        bridge-ports enp5s0f0
        bridge-stp off
        bridge-fd 0
 
Last edited:
hi,

you can check our documentation [0]

make sure you also enable firewall on datacenter level and VM level.

for identifying which VM is responsible,you can sniff packets for the vmbr0 interface to see which mac address is generating this traffic, and then check the VM configurations VM -> Hardware -> Network device to find which VM has that MAC

hope this helps!

[0]: https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#pve_firewall_ipfilter_section
 
Last edited:
  • Like
Reactions: harmonyp
oguz said:
hi,

you can check our documentation [0]

make sure you also enable firewall on datacenter level and VM level.

for identifying which VM is responsible,you can sniff packets for the vmbr0 interface to see which mac address is generating this traffic, and then check the VM configurations VM -> Hardware -> Network device to find which VM has that MAC

hope this helps!

[0]: https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#pve_firewall_ipfilter_section
Click to expand...
Thank you for the reply. What should the firewall config look like for the VM if I only want to enable this ipfilter? I want all ports open, the firewall purpose would only be to prevent spoofing.

Also is there a way to apply rules to all VMs easily? maybe at the node level as the datacenter rules don't seem to do so.
 
Never mind after playing around with it I think I got it figured out I presume I don't have to do anything under VM > Firewall > IPSet
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back