All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[5 USD Bounty] Avoiding IP Stealing in Proxmox (KVM/LXC)
Suppose I have a small /27 subnet and for example 10 VPS servers.
1.1.1.1 is assigned to VM1
1.1.1.2 is assigned to VM2
and so on all the way to VM 10
Now lets assume that VM8 1.1.1.8 is offline.
Now, how would I ensure that if VM2 user changes his server IP manually from 1.1.1.2 to 1.1.1.8, he wouldn't get any connection or routing unless he changes it back to 1.1.1.2?
I have heard that I would need to setup ARP Filtering, but there is no guides for that.
I have also heard that other way would be using ebtables or something like this:
All that's necessary is to add the following rule to each virtual machines firewall settings in Proxmox (see /etc/pve/firewall/.fw files) and works with IPv4 and IPv6:
[IPSET ipfilter-net0]
1.2.3.4
2f1:2:3:4::1
And final method that I have heard that I would need to bind IP to VM MAC somehow.
What is the easiest and best performance way to do this? Given these VMs are on 10G port.
I would love to follow an easy guide or something like that.
Comments
Ofc I'd pay multiple times more if someone reputable helped me setup this directly. xD
What exactly you do not undestand from:
[IPSET ipfilter-net0]
1.2.3.4
2f1:2:3:4::1
?
Go look in /etc/pve/firewall/.fw and add per above. As far I understood that you limit IP to MAC
I tried that and didin't even have even such folder as /etc/pve/firewall/
But worry not, during these 10 minutes I managed to fuck up the entire server so hard that everything above just became useless.
I did the only thing that everyone seemingly warns in the internet and proxmox forums to NOT do.
I fucking enabled the datacenter firewall from web-gui and lost all access to the dedicated server and all VPSs. Now I need to wait for IPMI lol.
Well, at least you now know that you didn‘t had the firewall enabled before. And yes, the IPSET feature is exactly what you are looking for and only works with the Proxmox firewall enabled in the first place.
Stop messing with production servers directly...?
Its a new deployment of my personal node which I share with couple of people.
So not loosing any millions here xD
Fixed via idrac. Uhh..
In case anyone else gets the same:
pve-firewall stop
Go to proxmox web gui and disable the datacenter firewall
sudo reboot
Sooooooooooooooooo,
anyone get the bounty ?
No as there was no new suggestions.
I probly end up doing:
ebtables -A FORWARD -p IPv4 --ip-src 172.16.1.4 -s ! 00:11:22:33:44:55 -j DROP
ebtables -A FORWARD -p IPv4 --ip-src 172.16.1.5 -s ! 00:11:22:33:44:65 -j DROP
etc.. as described here: https://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof
static arp entries for the ips and macs you want to protect:
arp -s $vm-ip-allowed $vm-mac-allowed
and to stop vm's from mac spoofing use ebtables:
ebtables -A FORWARD -i $iftap-that-vm-uses -s ! $your:vm:mac:address -j DROP
This is not a complete solution but you can use this as a basis for something more complex and comprehensive.
Honestly though, if you want to do this in a way that will always "just work" with the least amount of hassle, then you will want to put each vm on a unique bridge device with a unique /30 rfc1918 ip for the guest and the host, and then just setup a static route on the host for the real public ipv4 address. Host configured as a linux router. Each guest is in it's own private layer 2 network.
Well, you can spoof the mac address inside a VM as far as I know.
So limiting the IP to a specific mac address won't fix it fully.
You would need to limited that on the specific VM adapter.
You'll need to use IPSets + ebtables, and Proxmox has MAC address change protection as an option.
you could always go for a routed setup and create an individual bridge per IP and VM. done.
No drama?
Hello sir, when are you planning to make a provider tag request?
Where is he offering services here?
Probly never? Im a free evangelist.. If im gonna offer something here, it will be free so no need for a tag.
And this was a question for my internal test server. Don't always assume that someone is attempting to setup some kiddie host up after a simple question.. Idiot.
Besides with only this much knowledge about hypervisors it'd be a fucking disaster for any customer. I'd rather never get into that.
Edit: I found someone to show me how to do it in simple way.
Can you share? I am curious xD
@lentro something like this is probably the quickest way:
though you might want to check which chain to use. instead of forward it could also go into nat/prerouting...
other then that individual bridges as said are quite fail-safe and still considerable easy as well ;-)
ebtables -A FORWARD -p IPv4 --ip-src xxx.xxx.xxx.123 -s ! EE:F4:C9:41:22:XX -j DROP
ebtables -A FORWARD -p IPv4 -s EE:F4:C9:41:22:XX ! --ip-src xxx.xxx.xxx.123 -j DROP
this is what I came up with myself..
First one ensures that "Drop traffic if certain IP is not coming from certain MAC".
Second one ensures that "Drop traffic if certain MAC is not using the selected IP"
Simply repeat for every single VPS by changing the IP and MAC accordingly.
Apparently this is not quite the correct way, but works so far, but Im getting advice from another person to make it more sane. When Im done with that solution I'll post it here for other people that might search it from google.
If you're pushing someone asking for help to get a provider tag, you're doing it wrong.
It's fine to enable datacenter firewall from the proxmox web-ui, but first you need to put in some allow rules so when the firewall comes up it doesn't lock you out.
That's literally what I meant with that scentence :P Theres no such indication that the default policy is drop so turning on on the firewall is something everyone warns you for.