only allow VM to connect to CT

[Afox]

Hello guys,

I want to setup a Samba CT that only should be accessible by one specific VM on the same node. Since there are advanced networking possibilities on Proxmox VE (and this is the first time I try to do so) I want to ask how I should config the CT to make it save from every attack that is coming from "outside".

Thanks in advance!

Regards,

Afox

 

[pirateghost]

Personally I would create a vmbr that is only used between the ct and that VM. Not attached to an ETH device.

 

[Afox]

the VM has to be accessible through the internet. is that a problem in your scenario?

 

[pirateghost]

the VM has to be accessible through the internet. is that a problem in your scenario?

Your VMs can have more than one network device

 

[Afox]

after I wrote my answer I found this article about the Proxmox Network Model that made your statement clear for me: https://pve.proxmox.com/wiki/Network_Model

as far as I understand the CT would be controlled (SSH) by the VM if there is no more vmbr to outside, correct?

many thanks for your patience.

Regards,

Afox

 

[Afox]

hello again. I am stuck. could you please give me some instruction how to setup this virtual network? I have a lot of thoughts about this but maybe you (or anyone else who allready has successfully established smth like this) can make it a little more clear? Thanks in advance!

 

[Afox]

hello guys, sorry for pushing but I am still searching for a solution to directly connect VM and CT. I am grateful for any hint. Regards, Afox

 

[pirateghost]

I'm not really sure I understand where you are stuck.

Make a KVM give it 2 NICs. One nic on a vmbr that has access to outside network.

After you get this VM setup, add another nic to it on a vmbr that is not bridged to a physical nic, give it a static IP in the VM.

Setup your vz with a nic on the same vmbr that is not connected to a physical nic. Give it an IP address in the same subnet as the other servers secondary IP.

That's it. You have a private network between the 2 and the vz doesn't have internet access

 

[Afox]

tbh I don´t know how to setup the internal vmbr. what IP should I fill in? Something between 10.0.0.0 and 10.255.255.255 as this is one of the private adress range? what do I fill in at subnet mask and Gateway? I think I just need an example for this and then I will understand.

 

[pirateghost]

View attachment 2514the proxmox extra vmbr should not have ANY ip address tied to it.

the vm/ct internal connection ip address should not be one from your normal subnet.

 

[Afox]

ok, thank you. I set up a new vmbr and restarted. Then I added the NIC to the VM. Next I add a veth-NIC to the CT choosing the newly created vmbr?

 

[pirateghost]

yes. then you will have communication only between the 2 vms

 

[Afox]

thank you again. this brought me much more in the right direction. Tomorrow I will try to setup the new NICs Best regards, Afox