Network Isolation For KVM Guests

Home » CentOS-Virt » Network Isolation For KVM Guests
CentOS-Virt 10 Comments

Hi all,

What options exists under CentOS hosts to work with isolated networks?. For example, on BSD systems it is really trivial. In FreeBSD you can use setfib tools and on OpenBSD it is possible to use rdomain options. In 30 secs it is possible to work with isolated networks and assign process, ip address and routes (hidden from the main route table and ip addresses), etc.

But I can’t find a similar solution for CentOS environments. I have found two similar options:

a/ Network namespaces (but doesn’t provides a real network isolation)
b/ VRF (but it is supported only for kernels 4.8 and up)

Any ideas?

Thanks.

10 thoughts on - Network Isolation For KVM Guests

  • for KVM guests I use VLANs

    S pozdravem Kristián Feldsam Tel.: +420 773 303 353
    E-mail.: admin@feldhost.cz

    http://www.feldhost.cz – FeldHost poskytuje kvalitní hostingové a serverové služby za příznivou cenu.

    FELDSAM s.r.o. V rohu 434/3
    Praha 4 – Libuš, PSČ 142 00
    IČ: 290 60 958, DIČ: CZ290 60 958
    C 200350 vedená u Městského soudu v Praze

    Banka: Fio banka a.s.
    Číslo účtu: 2400330446/2010
    BIC: FIOBCZPPXX
    IBAN: CZ82 2010 0000 0024 0033 0446

  • Thanks Nux and Kristian but I don’t see if these solutions will be really efective in my environment. Let me to explain. In this host I three physical interfaces: eth0, eth1 and wlan0.

    eth0 is connected to my internal network. eth1 is connected to a public router and wlan0 is connected to another public router. wlan0 and eth1 are bonded to provide failover Internet connections. CPU doesn’t supports pci passthrough (pci passthrough would solve my problems).

    I need to deploy a fw vm to control traffic between internal and external interfaces. In BSD systems you can seggregate all ip address and route tables from principal routing table. It is the same effect that I would like to implement in this host.

    And I don’t see how to implement using CentOS (or another linux distro).

  • Hi,

    I don’t see why this should not work with the given solutions. But I’m relatively new to KVM / libvirt. Alternative:

    Personally I use Shorewall (Shoreline FW) and bridge setups (also works with a bonding interface). This way you can create zones, interfaces, addresses, forwarding-rules etc and give per VM permission to let’s say only use a certain IP, only access certain parts of the network, talk to a certain limited list of IPs etc. I can not imagine you can’t create what you want with Shorewall. It looks complicated, but actually is very intuitive if you give it some time and effort.

    Please feel free to provide a better description of what you want to accomplish. Maybe I misunderstand what you want to achieve.

  • If assigning a NIC directly to a VM would solve the problem, you could try using macvtap instead of PCI passthrough

  • Oops .. bad luck (according to https://access.redhat.com/solutions/1978833):

    Does bridge/macvtap interfaces work on wireless interfaces in RHEL?
    SOLUTION VERIFIED – Updated October 2 2015 at 6:23 PM – English Environment

    Red Hat Enterprise Linux 5
    Red Hat Enterprise Linux 6
    Red Hat Enterprise Linux 7
    Issue

    If a bridge/macvtap interface is created using a wireless adapter, it fails to communicate. However, the wired physical ethernet card works without an issue Resolution

    Communication over an interface that’s bridged with a wireless interface(Wi-Fi) won’t work because most Access Points (APs) won’t accept frames that have a source address that is not authenticated with the AP. The same holds true with APs that allow open authentication(without password)
    Bridging can done only with physical ethernet controllers

  • Thanks Richard. But the problem is not Shorewall. I can use any Unix/Linux/BSD based distro to setup a firewall as a vm. The problem here is with the KVM host. I need to attach two physical interfaces to a guest and these phy interfaces have IP and routes assigned and I need to get them off the main routing table. And, why?. Because one of these interfaces is a wireless adapter and host’s CPU doesn’t support pci passthrough.

  • –PrRKv76PpBVCeHAvVtRARPjJs1b4Ws99d Content-Type: text/plain; charset=windows-1252
    Content-Transfer-Encoding: quoted-printable

    I do not understand this.

    You can attach a physical (or virtual, doesn’t matter), interface to any given vm, without assigning routes or IPs to these interfaces directly.

    Just do the network configuration inside the vm, and the routing, well on your router? You will just need the route for the vm networks on your host, but what is your attack scenario to keep this separated from other routes on this host? you need at least CAP_NET_ADMIN to fiddle with those.

  • No, I can’t because this host doesn’t support PCI passthrough. One of these interfaces is a wireless nic.

    How? If the same host routes Internet traffic in the main routing table I expose host’s services to Internet.


    Greetings, C. L. Martinez

  • Just create a bridge, hook the host physical interface that you want in it, hook the VMs interface in it, done. No need for passthrough.

    This can be done via libvirt/virsh or if a UI is wanted then virt-manager makes this really easy.

    Now assign an IP in the VM and it should work. You don’t need to assign any IP on he host interface itself. Rinse and repeat for the rest of the interfaces.


    Sent from the Delta quadrant using Borg technology!

    Nux!
    http://www.nux.ro

    —– Original Message —–