I've read some docs about "iptables physdev match" module, and managed to get simple firewall working where we can do some firewalling without knowing anything about IP addressing inside KVM guests.
Hope someone will find this info useful
Traffic flow:
So, this is VMID 101, with first interface (vmtab101i0) assigned to bridge vmbr0 (eth0 NIC).
One would imagine some web interface to configure opened tcp/udp ports per virtual interface.
I currently save this info into 'Notes' field in ProxMox web interface, and some custom (python) scripting to create firewall rules.
Hope someone will find this info useful
Traffic flow:
Code:
Incomming traffic:
--> [eth0] --> [vmbr0] --> [vmtab101i0] -->
PHY IN IN PHY OUT
Outgoing traffic:
<-- [eth0] <-- [vmbr0] <-- [vmtab101i0] <--
PHY OUT OUT PHY INSo, this is VMID 101, with first interface (vmtab101i0) assigned to bridge vmbr0 (eth0 NIC).
Code:
iptables -F FORWARD
iptables -P FORWARD DROP
# Allow all outgoing traffic from guest
iptables -A FORWARD -m physdev --physdev-in vmtab101i0 -o vmbr0 --physdev-out eth0 -j ACCEPT
# Allow ICMP
iptables -A FORWARD -p ICMP -m physdev --physdev-in eth0 -i vmbr0 --physdev-out vmtab101i0 --icmp-type 3 -j ACCEPT
iptables -A FORWARD -p ICMP -m physdev --physdev-in eth0 -i vmbr0 --physdev-out vmtab101i0 --icmp-type 8 -j ACCEPT
iptables -A FORWARD -p ICMP -m physdev --physdev-in eth0 -i vmbr0 --physdev-out vmtab101i0 --icmp-type 11 -j ACCEPT
# SSH
iptables -A FORWARD -p tcp --dport 22 -m physdev --physdev-in eth0 -i vmbr0 --physdev-out vmtab101i0 -j ACCEPTOne would imagine some web interface to configure opened tcp/udp ports per virtual interface.
I currently save this info into 'Notes' field in ProxMox web interface, and some custom (python) scripting to create firewall rules.