Blocking network access to abusive KVM guests
How do you usually handle cases where you need to block network access to a specific KVM guest if for example he's sending out spam? (provided you don't have access to networking equipment, but only to your node)
I used to do it with iptables (see below), but with IP Stealing & ARP Attack functionality still not working on SolusVM v1.13.00 and CentOS 6, there's always the change a malicious user finds a free IP, statically configures it and continues his activity.
iptables -A INPUT -s ip_address -j DROP iptables -A FORWARD -s ip_address -j DROP
The next solution was to detach the network interface of his KVM guest via virsh
# virsh detach-interface --domain kvm1xx --type bridge --mac xx:xx:xx:xx:xx:xx
Now he can try all the IPs in the world, he's not getting his traffic out.
A problem I faced with this method was that I couldn't reattach the network interface (ie when the user has logged into his VPS through VNC, cleaned it and wanted to get reconnected).
# virsh attach-interface --domain kvm1xx --type bridge --mac xx:xx:xx:xx:xx:xx --source br0 error: Failed to attach interface error: internal error unable to execute QEMU command 'device_add': Duplicate ID 'net0' for device
Another thing is if the user clicks the Reboot button from within SolusVM, the network interface get recreated and he's back to business.
So what's your way of temporary blocking network access to KVM guests?