DHCP only for KVM host
Posted 08-01-2013 at 05:11 AM by zhjim
As I wanted to play with etherboot, pxe boot and like I needed a dhcp server that I could control and take on and offline as seen fit. That ruled out the normal dhcp server we have on our network. What to do? Create one inside a kvm and block all network traffic from and to it from outside.
Little description of the network setup.
eth0 is the interface to the wide world aka local network
each vm has a tap device with naming like tap-$name_of_vm0
They all are joined within the bridge br0.
So next would be to fiddle with the FORWARD chain of iptables. Maybe PREROUTING or some might also work. Dunno seems bridging is still a bit to complex to gasp it in one go.
Now for the iptables rule with the module physdev for bridging stuff.
Inside vms get a dhcp assigned address as outside host dont as one can see when tailing the dhcp logs.
And just in case I would like to activate the internal dhcp for the outside world I'd use sysctl and make the bridge not filter stuff by iptables.
Little description of the network setup.
eth0 is the interface to the wide world aka local network
each vm has a tap device with naming like tap-$name_of_vm0
They all are joined within the bridge br0.
So next would be to fiddle with the FORWARD chain of iptables. Maybe PREROUTING or some might also work. Dunno seems bridging is still a bit to complex to gasp it in one go.
Now for the iptables rule with the module physdev for bridging stuff.
Code:
-A FORWARD -d 255.255.255.255/32 -m physdev --physdev-out eth0 -j LOG --log-prefix "DHCP on br0-out: " --log-tcp-options --log-ip-options -A FORWARD -d 255.255.255.255/32 -m physdev --physdev-out eth0 -j DROP -A FORWARD -d 255.255.255.255/32 -m physdev --physdev-in eth0 -j LOG --log-prefix "DHCP on br0-in: " --log-tcp-options --log-ip-options -A FORWARD -d 255.255.255.255/32 -m physdev --physdev-in eth0 -j DROP
And just in case I would like to activate the internal dhcp for the outside world I'd use sysctl and make the bridge not filter stuff by iptables.
Code:
net.bridge.bridge-nf-call-iptables = 0
Total Comments 2
Comments
-
I bridge device shouldn't be too hard, you'll put something like this in /etc/sysconfig/network-scripts/ifcfg-br0
Code:DEVICE=br0 TYPE=Bridge ONBOOT=yes ONBOOT=yes NM_CONTROLLED=no BOOTPROTO=static IPADDR=192.168.99.1 NETMASK=255.255.255.0
Code:BOOTPROTO=none ONBOOT=yes NM_MANAGED=no BRIDGE=br0
Posted 08-01-2013 at 08:02 AM by roger_heslop
Updated 08-01-2013 at 08:03 AM by roger_heslop (signature did not show up) -
Thanks for the input also I only skimmed your documentation it seems to follow the same goal I have in mind. Also we have FAI under Debian I like the idea to just kick up some ramdisk only systems for quick testings and specially network test. And also beeing able to hide the laboratory from the eyes of the common people.
What bothers me about bridges is the best entry point in iptables to control it well enough. But thats low on the list as its working right now .Posted 08-23-2013 at 09:55 AM by zhjim