Prevent VM to use other IP from subnet

A

andy77

Renowned Member
Proxmox Subscriber
Jul 6, 2016
248
13
83
41
Hello @ all,

I am asking myself how to bind VMs to work with just one IP form a subnet.

I have a Hetzner server configured with a routed x.x.x.x/29 subnet.

My config looks the following:

Code: 
# /etc/network/interfaces
### Hetzner Online GmbH - installimage
# Loopback device:
auto lo
iface lo inet loopback
# device: eth0
auto eth0
iface eth0 inet static
  address <Main-IP>
  netmask 255.255.255.255
  pointopoint <Gateway-IP>
  gateway <Gateway-IP>

# the subnet
auto vmbr1
iface vmbr1 inet static
  address <my first usable IP from the subnet>
  netmask <netmas of subnet>
  bridge_ports none
  bridge_stp off
  bridge_fd 0

The config do work well and everything seems ok.

But now I would like to somehow bind a specific IP form my routed subnet to one VM.
Because if it is configured like that, you can use every available IP from the subnet on the VM. This is some kind of bad, because a user could change the VMs IP easy and act like another VM on the same node.

Of course I could create rules in the Firewall with "Source IP" but I don't know if this is really the correct way to do.

Maybe someone has an idea?

Thx for any hint
Regards
Andy
 
What I forgot to mention is, that I did found the config for "IP filter" but with enabling this, and configuring a IPSet "ipfilter-net0" to a specific IP form the subnet, does prevent outgooing connctions when the IP is changed on VM. The problem is, that incoming connections still work fine!

So it means that the "IP filter" only blocks outgooing connections, and in my case I think it is not usable, because of course I also want to prevent incomming connections when the IP is not the one set in "ipfilter-net0"

THX
 
As far as I know, you need to create firewall rules explicitly allowing only the IP of the machine and blocking everything else. I do not know of any other way and struggled with the same problem as you did.
 
I have now configured the "IP filter" for outgooing and the "Firewall in" for incomming traffic. Seems that this is the only option.

@guletz Thx for your input. Unfotunately this works only for unused IPs.
 
andy77 said:
I have now configured the "IP filter" for outgooing and the "Firewall in" for incomming traffic. Seems that this is the only option.

@guletz Thx for your input. Unfotunately this works only for unused IPs.
Click to expand...

... but if you add a static arp on host, like:
arp -s 192.168.1.101 00-00-48-23-00-00

for the used IP, I think you solve the problem.
 
  • Like
Reactions: Abyss
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back