Re: [CentOS-virt] Network isolation for KVM guests
On Fri, Mar 31, 2017 at 05:06:53PM +0200, Sven Kieske wrote: > On 31/03/17 15:55, C. L. Martinez wrote: > > I need to attach two physical interfaces to a guest and these phy > > interfaces have IP and routes assigned and I need to get them off the main > > routing table. > > I do not understand this. > > You can attach a physical (or virtual, doesn't matter), interface to any > given vm, without assigning routes or IPs to these interfaces directly. No, I can't because this host doesn't support PCI passthrough. One of these interfaces is a wireless nic. > > Just do the network configuration inside the vm, and the routing, well > on your router? You will just need the route for the vm networks on your > host, but what is your attack scenario to keep this separated from other > routes on this host? you need at least CAP_NET_ADMIN to fiddle with those. How? If the same host routes Internet traffic in the main routing table I expose host's services to Internet. > > -- > Mit freundlichen Grüßen / Regards > > Sven Kieske > > Systemadministrator > Mittwald CM Service GmbH & Co. KG > Königsberger Straße 6 > 32339 Espelkamp > T: +495772 293100 > F: +495772 29 > https://www.mittwald.de > Geschäftsführer: Robert Meyer > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen > Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen > > ___ > CentOS-virt mailing list > CentOS-virt@centos.org > https://lists.centos.org/mailman/listinfo/centos-virt -- Greetings, C. L. Martinez ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] 2.6.0-28.el7_3.6.1 e1000 problem
Adding Paolo and Miroslav. Il 30/Mar/2017 08:57, "Dmitry Melekhov"ha scritto: > 30.03.2017 10:52, Dmitry Melekhov пишет: > >> Hello! >> >> We tried to move Windows 2003 VM with e1000 driver from Centos 7 which >> runs qemu-kvm-0.12.1.2-2.491.el6_8.7.x86_64 >> to Centos 7 with qemu-kvm-ev-2.6.0-28.el7_3.6.1.x86_64 and we got >> problems- >> tcp sessions, namely smb connections, randomly drops. >> >> We didn't test previous qemu-rhev with this VM, so we don't know how it >> works in them. >> >> Could you tell me is this known problem? Any workaround except switching >> to virtio? >> >> Thank you! >> >> Sorry, previous host system was Centos 6 with default qemu... > > > ___ > CentOS-virt mailing list > CentOS-virt@centos.org > https://lists.centos.org/mailman/listinfo/centos-virt > ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Network isolation for KVM guests
On 31/03/17 15:55, C. L. Martinez wrote: > I need to attach two physical interfaces to a guest and these phy interfaces > have IP and routes assigned and I need to get them off the main routing table. I do not understand this. You can attach a physical (or virtual, doesn't matter), interface to any given vm, without assigning routes or IPs to these interfaces directly. Just do the network configuration inside the vm, and the routing, well on your router? You will just need the route for the vm networks on your host, but what is your attack scenario to keep this separated from other routes on this host? you need at least CAP_NET_ADMIN to fiddle with those. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +495772 293100 F: +495772 29 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen signature.asc Description: OpenPGP digital signature ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Network isolation for KVM guests
On Fri, Mar 31, 2017 at 06:14:22AM -0400, Dima (Dan) Yasny wrote: > On Fri, Mar 31, 2017 at 5:56 AM, C. L. Martinez> wrote: > > > On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote: > > > Use libvirt with mac/ip spoofing enabled. > > > > > > https://libvirt.org/formatnwfilter.html > > > > > > https://libvirt.org/firewall.html > > > > > > -- > > > Sent from the Delta quadrant using Borg technology! > > > > > Thanks Nux and Kristian but I don't see if these solutions will be really > > efective in my environment. Let me to explain. In this host I three > > physical interfaces: eth0, eth1 and wlan0. > > > > eth0 is connected to my internal network. eth1 is connected to a public > > router and wlan0 is connected to another public router. wlan0 and eth1 are > > bonded to provide failover Internet connections. CPU doesn't supports pci > > passthrough (pci passthrough would solve my problems). > > > > If assigning a NIC directly to a VM would solve the problem, you could try > using macvtap instead of PCI passthrough > > Oops .. bad luck (according to https://access.redhat.com/solutions/1978833): Does bridge/macvtap interfaces work on wireless interfaces in RHEL? SOLUTION VERIFIED - Updated October 2 2015 at 6:23 PM - English Environment Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Issue If a bridge/macvtap interface is created using a wireless adapter, it fails to communicate. However, the wired physical ethernet card works without an issue Resolution Communication over an interface that's bridged with a wireless interface(Wi-Fi) won't work because most Access Points (APs) won't accept frames that have a source address that is not authenticated with the AP. The same holds true with APs that allow open authentication(without password) Bridging can done only with physical ethernet controllers -- Greetings, C. L. Martinez ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Network isolation for KVM guests
On Fri, Mar 31, 2017 at 5:56 AM, C. L. Martinezwrote: > On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote: > > Use libvirt with mac/ip spoofing enabled. > > > > https://libvirt.org/formatnwfilter.html > > > > https://libvirt.org/firewall.html > > > > -- > > Sent from the Delta quadrant using Borg technology! > > > Thanks Nux and Kristian but I don't see if these solutions will be really > efective in my environment. Let me to explain. In this host I three > physical interfaces: eth0, eth1 and wlan0. > > eth0 is connected to my internal network. eth1 is connected to a public > router and wlan0 is connected to another public router. wlan0 and eth1 are > bonded to provide failover Internet connections. CPU doesn't supports pci > passthrough (pci passthrough would solve my problems). > If assigning a NIC directly to a VM would solve the problem, you could try using macvtap instead of PCI passthrough > > I need to deploy a fw vm to control traffic between internal and external > interfaces. In BSD systems you can seggregate all ip address and route > tables from principal routing table. It is the same effect that I would > like to implement in this host. > > And I don't see how to implement using CentOS (or another linux distro). > > -- > Greetings, > C. L. Martinez > ___ > CentOS-virt mailing list > CentOS-virt@centos.org > https://lists.centos.org/mailman/listinfo/centos-virt > ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Network isolation for KVM guests
Hi, I don't see why this should not work with the given solutions. But I'm relatively new to KVM / libvirt. Alternative: Personally I use Shorewall (Shoreline FW) and bridge setups (also works with a bonding interface). This way you can create zones, interfaces, addresses, forwarding-rules etc and give per VM permission to let's say only use a certain IP, only access certain parts of the network, talk to a certain limited list of IPs etc. I can not imagine you can't create what you want with Shorewall. It looks complicated, but actually is very intuitive if you give it some time and effort. Please feel free to provide a better description of what you want to accomplish. Maybe I misunderstand what you want to achieve. -- Met vriendelijke groet, Richard Landsman http://rimote.nl T: +31 (0)50 - 763 04 07 (ma-vr 9:00 tot 18:00) 24/7 bij storingen: +31 (0)6 - 4388 7949 @RimoteSaS (Twitter Serviceberichten/security updates) On 03/31/2017 11:56 AM, C. L. Martinez wrote: On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote: Use libvirt with mac/ip spoofing enabled. https://libvirt.org/formatnwfilter.html https://libvirt.org/firewall.html -- Sent from the Delta quadrant using Borg technology! Thanks Nux and Kristian but I don't see if these solutions will be really efective in my environment. Let me to explain. In this host I three physical interfaces: eth0, eth1 and wlan0. eth0 is connected to my internal network. eth1 is connected to a public router and wlan0 is connected to another public router. wlan0 and eth1 are bonded to provide failover Internet connections. CPU doesn't supports pci passthrough (pci passthrough would solve my problems). I need to deploy a fw vm to control traffic between internal and external interfaces. In BSD systems you can seggregate all ip address and route tables from principal routing table. It is the same effect that I would like to implement in this host. And I don't see how to implement using CentOS (or another linux distro). ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt
Re: [CentOS-virt] Network isolation for KVM guests
On Thu, Mar 30, 2017 at 06:15:28PM +0100, Nux! wrote: > Use libvirt with mac/ip spoofing enabled. > > https://libvirt.org/formatnwfilter.html > > https://libvirt.org/firewall.html > > -- > Sent from the Delta quadrant using Borg technology! > Thanks Nux and Kristian but I don't see if these solutions will be really efective in my environment. Let me to explain. In this host I three physical interfaces: eth0, eth1 and wlan0. eth0 is connected to my internal network. eth1 is connected to a public router and wlan0 is connected to another public router. wlan0 and eth1 are bonded to provide failover Internet connections. CPU doesn't supports pci passthrough (pci passthrough would solve my problems). I need to deploy a fw vm to control traffic between internal and external interfaces. In BSD systems you can seggregate all ip address and route tables from principal routing table. It is the same effect that I would like to implement in this host. And I don't see how to implement using CentOS (or another linux distro). -- Greetings, C. L. Martinez ___ CentOS-virt mailing list CentOS-virt@centos.org https://lists.centos.org/mailman/listinfo/centos-virt