Isolating 2 KVM on the same VMBR

hakim

Well-Known Member
Oct 4, 2010
54
1
48
Hi,

I have 2 KVM VMs (KVM1 and KVM2) connected on the same host's vmbrXX (bridge mode).
I would like to isolate KVM1 from KVM2.

I tried to use the proxmox firewall and add the 2 following rules for KVM1 (and the firewall option is ticked on the nic):

[RULES]

IN DROP
OUT DROP

But I can ping as well :
- KVM1 from KVM2
- KVM2 from KVM1

Is there something wrong in my rules, or is it just not possible ?

Thanks
 
>> And you power cycled the VMs after setting this (stop/start)?

Thanks for your answer. Yes I did it - many times.

I look at the iptables rules generated and I do not see anything that could match my drop rules. I also tried to specify the interface (net0), (after looking at the iptables - nothing change)

-A FORWARD -j PVEFW-FORWARD

-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"

-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1194i0 --physdev-is-bridged -j tap1194i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:loYWxWyO1aogMMH4vILoZYXLJHs"

-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1194i0 --physdev-is-bridged -j tap1194i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:17NtWHVVPtcegL9mEfNH/RTtDT8"

-A tap1194i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1194i0-IN -j ACCEPT
-A tap1194i0-IN -m comment --comment "PVESIG:8niG/yUn1PffpDPecGBQaw8B8Rw"
-A tap1194i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1194i0-OUT -m mac ! --mac-source 66:31:38:61:38:65 -j DROP
-A tap1194i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap1194i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1194i0-OUT -m comment --comment "PVESIG:9ApRWhuP2PI4yn5CvkeiwRSFBvE"
 
>> And you also enable it in firewall/Options?

It was the problem... :-/

Thanks Dietmar for your help
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!