如何保护桥接 br0 接口?

tag-icon tag-icon iptables kvm-virtualization bridge
如何保护桥接 br0 接口?

我有一台 Ubuntu 服务器,充当 KVM 主机,并且在其下运行一些暴露在网络下的虚拟机。

虚拟机有自己的 iptables 规则,并通过主机上的直接网桥 br0 进行联网。

我的问题是,我应该如何在主机上的 iptables 中处理这个网桥。我是否应该将其视为自己的设备并像保护任何接口一样保护它?如果我在主机上阻止它,我应该知道什么可能会阻止到来宾的流量?或者也许将我的规则写入原始接口 eno1?

我当前的设置如下所示:(virbr0 未被任何虚拟机使用,vmnet0 是正在运行的客户机网络)

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet xxx.HOSTIP.xxx  netmask 255.255.255.0  broadcast 62.210.172.255
        inet6 fe80::d6ae:52ff:fece:993a  prefixlen 64  scopeid 0x20<link>
        inet6 xxx:HOSTIPv6::xxx  prefixlen xx  scopeid 0x0<global>
        ether d4:ae:52:ce:99:3a  txqueuelen 1000  (Ethernet)
        RX packets 753413  bytes 59239171 (59.2 MB)
        RX errors 0  dropped 51  overruns 0  frame 0
        TX packets 115967  bytes 17911763 (17.9 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether d4:ae:52:ce:99:3a  txqueuelen 1000  (Ethernet)
        RX packets 993041  bytes 303457181 (303.4 MB)
        RX errors 0  dropped 599  overruns 0  frame 0
        TX packets 151299  bytes 22226710 (22.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 182799  bytes 19199389 (19.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 182799  bytes 19199389 (19.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:3c:92:cf  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc54:ff:fe00:825e  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:00:82:5e  txqueuelen 1000  (Ethernet)
        RX packets 25390  bytes 2725539 (2.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 683484  bytes 266619773 (266.6 MB)
        TX errors 0  dropped 16075 overruns 0  carrier 0  collisions 0

答案1

这主要取决于您对客户系统的信任程度。只要您不对 FORWARD 表进行任何路由以外的操作,您都可以在常规接口上进行任何合理的操作。在大多数情况下,通常更好的做法是像锁定其他接口一样锁定接口,然后根据需要添加例外情况(最好记录每个例外情况),但如果您绝对信任您的客户系统,不锁定它并没有什么坏处。

相关内容