[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Implications of a permissive FORWARD chain
From:       Neal Murphy <neal.p.murphy () alum ! wpi ! edu>
Date:       2014-02-19 18:12:13
Message-ID: 201402191312.13229.neal.p.murphy () alum ! wpi ! edu
[Download RAW message or body]

On Wednesday, February 19, 2014 09:38:46 AM Mark Fox wrote:
> That I understand. In my situation, I have a containerization host that
> runs several containers. The host can do some sanitization of the traffic
> coming from the network, but only so far before it forces creators of new
> containers to add new rules.
> 
> > If you're talking about VMs on a single Linux host talking through a
> > bridge (virtual LAN) on that Linux host, then you can probably use
> > ebtables to control the bridge because, again, the Linux host will not
> > see IP traffic between VMs.
> 
> That was my expectation, but I'm no longer sure that it is the case. I
> haven't checked on whether the host sees communication between the
> containers specifically, but my guess at this point is that it does. I'm
> quite sure that disabling all forwarding completely cuts off the containers
> from the rest of the LAN.

Containers *are* a different beast.
> 
> My understanding was that a bridge was a layer 2 device and netfilter would
> be completely out of the loop on traffic travelling across the bridge. So I
> disabled all forwarding on the container host, but was surprised when that
> cut the containers off.

Depends. Reasonably modern systems have the ebtables pkg available; it is the 
layer 2 version of iptables. Since the host creates and operates the virtual 
bridge and tap devices, it handles all traffic passing to and from containers; 
but I would've expected it to work at layer 2, where bridging normally 
happens. Said differently, I would expect a Linux virtual bridge to behave the 
same as a physical bridge (switch) in that each port's traffic is not visible 
to nodes on another port.

Logically at layer 2, you would:
  - allow all traffic to and from the host's IF (the bridge)
  - allow all traffic to and from the physical NIC(s)
  - block all other traffic (which should include only VM-to-VM traffic)

I've never worked at layer 2 and don't know the nuances; I'm only aware it can 
be done. You've probably just reached the limit of my knowledge.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]