I have a dedicated server with a single IPv4. It's my first time working with Proxmox, and I have a limited knowledge of networking, so to be able to access the VMs, I decided to set up a Linux Bridge (as per instructions in this video):
With this setup anyone on 192.168.100.0/24 can communicate with each other. For example, 192.168.100.11 can attempt to ssh into 192.168.100.12. My understanding is that if any VM running on vmbr1 with an IP in the 192.168.100.0/24 range were compromised, you could treat everyone in the 192.168.100.0/24 range as compromised, since you wouldn't know what vulnerabilities the third party might've exploited.
I tried using the same
I could leave this the way it is and just rely on disabling password ssh authentication on the VMs and using
auto vmbr1
iface vmbr1 inet static
address 192.168.100.1
netmask 255.255.255.0
bridge-ports none
bridge-stp off
bridge-fd 0
# NAT
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.100.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.100.0/24' -o vmbr0 -j MASQUERADE
# VM 110
post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50100 -i vmbr0 -j DNAT --to-destination 192.168.100.10:22
post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50101:50109 -i vmbr0 -j DNAT --to-destination 192.168.100.10
# VM 111
post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50110 -i vmbr0 -j DNAT --to-destination 192.168.100.11:22
post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50111:50119 -i vmbr0 -j DNAT --to-destination 192.168.100.11
# VM 112
post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50120 -i vmbr0 -j DNAT --to-destination 192.168.100.12:22
post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50121:50129 -i vmbr0 -j DNAT --to-destination 192.168.100.12
...
xxx.xxx.xxx.xxx
is the external IP, and I can flawlessly access VM 110 via ssh by connecting to xxx.xxx.xxx.xxx:50100
.With this setup anyone on 192.168.100.0/24 can communicate with each other. For example, 192.168.100.11 can attempt to ssh into 192.168.100.12. My understanding is that if any VM running on vmbr1 with an IP in the 192.168.100.0/24 range were compromised, you could treat everyone in the 192.168.100.0/24 range as compromised, since you wouldn't know what vulnerabilities the third party might've exploited.
I tried using the same
iptables
to restrict access for everyone on 192.168.100.0/24 to anything other than 192.168.100.1 (gateway), but eventually found out that Proxmox ignores even the most simple configurations like iptables -A FORWARD -s 192.168.100.xxx -d 192.168.100.xxx -j DROP
. iptables -A FORWARD -s 192.168.100.11 -d 192.168.100.12 -j DROP
still allows 192.168.100.11 ping 192.168.100.12 and vice versa.I could leave this the way it is and just rely on disabling password ssh authentication on the VMs and using
ufw
to block everything other than the ports I've assigned to each VM, but I want to do this properly and make sure each VM is isolated at the host level. If I'm doing something I really shouldn't, please do let me know as well, as this is my first time using Proxmox.
Last edited: