Isolating 2 KVM on the same VMBR

[hakim]

Hi,

I have 2 KVM VMs (KVM1 and KVM2) connected on the same host's vmbrXX (bridge mode).
I would like to isolate KVM1 from KVM2.

I tried to use the proxmox firewall and add the 2 following rules for KVM1 (and the firewall option is ticked on the nic):

[RULES]

IN DROP
OUT DROP

But I can ping as well :
- KVM1 from KVM2
- KVM2 from KVM1

Is there something wrong in my rules, or is it just not possible ?

Thanks

 

[dietmar]

and the firewall option is ticked on the nic

And you power cycled the VMs after setting this (stop/start)?

 

[hakim]

>> And you power cycled the VMs after setting this (stop/start)?

Thanks for your answer. Yes I did it - many times.

I look at the iptables rules generated and I do not see anything that could match my drop rules. I also tried to specify the interface (net0), (after looking at the iptables - nothing change)

-A FORWARD -j PVEFW-FORWARD

-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"

-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1194i0 --physdev-is-bridged -j tap1194i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:loYWxWyO1aogMMH4vILoZYXLJHs"

-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1194i0 --physdev-is-bridged -j tap1194i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:17NtWHVVPtcegL9mEfNH/RTtDT8"

-A tap1194i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1194i0-IN -j ACCEPT
-A tap1194i0-IN -m comment --comment "PVESIG:8niG/yUn1PffpDPecGBQaw8B8Rw"
-A tap1194i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1194i0-OUT -m mac ! --mac-source 66:31:38:61:38:65 -j DROP
-A tap1194i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap1194i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1194i0-OUT -m comment --comment "PVESIG:9ApRWhuP2PI4yn5CvkeiwRSFBvE"

 

[dietmar]

>
Thanks for your answer. Yes I did it - many times.

And you also enable it in firewall/Options?

 

[hakim]

>> And you also enable it in firewall/Options?

It was the problem... :-/

Thanks Dietmar for your help