Stopping a VM from connecting out (QEMU-KVM)

Lunawolfy

Lunawolfy

Lunawolfy

Associate
Joined
22 May 2011
Posts
1,445
Location
Edinburgh
Hey all,

I am looking to create a forensically sane environment for a VM, in which the host and guest systems can communicate with each other, however the VM cannot communicate outwith the host machine.

The host machine requires connectivity so pulling the cable is out :P

Does anyone know of a config/function withing KVM or libvirtd which can do this, I am aware of isolate mode however that will stop the host and guest communicating.

I suppose I could always add a drop string to the OUT chain in iptables, however I was looking for a more robust solution.

Thanks!
 
Create a port group and assign it a VLAN that your physical switch doesn't forward. We do this at work if we're building an AD lab environment to make sure it can't contact our "live" Active Directory.
 
Probably best if you just read up a bit on VLANS and how to set them up on your switch hardware.

In simple terms you set up a VLAN and allow the VMs to only use this VLAN in communication, but do not allow this VLAN traffic access to the "outside".

As long as your physical switch can be managed and VLAN tagging set up then assigning a VLAN on the virtual machine network settings is easy and in the VMware documentation.
 
Not using VMware tho. Using KVM.

Ideally connectivity would go like this:

Internet <<>> Local Network <<>> Host Machine !<<>> Guest VM

So the host can interact with the VM, however the VM cannot escape the scope of the host.

I've been looking at namespaces, however I'm not too sure how to implement them.
 
Are you looking for namespace separation or network security? If the latter you need something at physical level like VLANs or separate networks

Seems like it's easy enough with KVM - instead of using it to isolate hosts, add networks to the physical hosts using one for outside communication and one for VMs

http://pic.dhe.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=/liaat/liaatkvmsecconfvlans.htm
http://pic.dhe.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=/liaat/liaatsecvlanover.htm
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom