I have a dedicated server with a single IPv4. It's my first time working with Proxmox, and I have a limited knowledge of networking, so to be able to access the VMs, I decided to set up a Linux Bridge (as per instructions in this video):
With this setup anyone on 192.168.100.0/24 can communicate with each other. For example, 192.168.100.11 can attempt to ssh into 192.168.100.12. My understanding is that if any VM running on vmbr1 with an IP in the 192.168.100.0/24 range were compromised, you could treat everyone in the 192.168.100.0/24 range as compromised, since you wouldn't know what vulnerabilities the third party might've exploited.
I tried using the same
I could leave this the way it is and just rely on disabling password ssh authentication on the VMs and using
auto vmbr1iface vmbr1 inet static address 192.168.100.1 netmask 255.255.255.0 bridge-ports none bridge-stp off bridge-fd 0# NATpost-up echo 1 > /proc/sys/net/ipv4/ip_forwardpost-up iptables -t nat -A POSTROUTING -s '192.168.100.0/24' -o vmbr0 -j MASQUERADEpost-down iptables -t nat -D POSTROUTING -s '192.168.100.0/24' -o vmbr0 -j MASQUERADE# VM 110post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50100 -i vmbr0 -j DNAT --to-destination 192.168.100.10:22post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50101:50109 -i vmbr0 -j DNAT --to-destination 192.168.100.10# VM 111post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50110 -i vmbr0 -j DNAT --to-destination 192.168.100.11:22post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50111:50119 -i vmbr0 -j DNAT --to-destination 192.168.100.11# VM 112post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50120 -i vmbr0 -j DNAT --to-destination 192.168.100.12:22post-up iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 50121:50129 -i vmbr0 -j DNAT --to-destination 192.168.100.12...xxx.xxx.xxx.xxx is the external IP, and I can flawlessly access VM 110 via ssh by connecting to xxx.xxx.xxx.xxx:50100.With this setup anyone on 192.168.100.0/24 can communicate with each other. For example, 192.168.100.11 can attempt to ssh into 192.168.100.12. My understanding is that if any VM running on vmbr1 with an IP in the 192.168.100.0/24 range were compromised, you could treat everyone in the 192.168.100.0/24 range as compromised, since you wouldn't know what vulnerabilities the third party might've exploited.
I tried using the same
iptables to restrict access for everyone on 192.168.100.0/24 to anything other than 192.168.100.1 (gateway), but eventually found out that Proxmox ignores even the most simple configurations like iptables -A FORWARD -s 192.168.100.xxx -d 192.168.100.xxx -j DROP. iptables -A FORWARD -s 192.168.100.11 -d 192.168.100.12 -j DROP still allows 192.168.100.11 ping 192.168.100.12 and vice versa.I could leave this the way it is and just rely on disabling password ssh authentication on the VMs and using
ufw to block everything other than the ports I've assigned to each VM, but I want to do this properly and make sure each VM is isolated at the host level. If I'm doing something I really shouldn't, please do let me know as well, as this is my first time using Proxmox.
Last edited:
