Welcome to the most active Linux Forum on the web.
Go Back > Blogs > zhjim
User Name


Rate this Entry

DHCP only for KVM host

Posted 08-01-2013 at 05:11 AM by zhjim

As I wanted to play with etherboot, pxe boot and like I needed a dhcp server that I could control and take on and offline as seen fit. That ruled out the normal dhcp server we have on our network. What to do? Create one inside a kvm and block all network traffic from and to it from outside.

Little description of the network setup.
eth0 is the interface to the wide world aka local network
each vm has a tap device with naming like tap-$name_of_vm0
They all are joined within the bridge br0.

So next would be to fiddle with the FORWARD chain of iptables. Maybe PREROUTING or some might also work. Dunno seems bridging is still a bit to complex to gasp it in one go.
Now for the iptables rule with the module physdev for bridging stuff.

-A FORWARD -d -m physdev --physdev-out eth0 -j LOG --log-prefix "DHCP on br0-out: " --log-tcp-options --log-ip-options
-A FORWARD -d -m physdev --physdev-out eth0 -j DROP
-A FORWARD -d -m physdev --physdev-in eth0 -j LOG --log-prefix "DHCP on br0-in: " --log-tcp-options --log-ip-options
-A FORWARD -d -m physdev --physdev-in eth0 -j DROP
Inside vms get a dhcp assigned address as outside host dont as one can see when tailing the dhcp logs.

And just in case I would like to activate the internal dhcp for the outside world I'd use sysctl and make the bridge not filter stuff by iptables.
net.bridge.bridge-nf-call-iptables = 0
Posted in Uncategorized
Views 3349 Comments 2
« Prev     Main     Next »
Total Comments 2


  1. Old Comment
    I bridge device shouldn't be too hard, you'll put something like this in /etc/sysconfig/network-scripts/ifcfg-br0

    IP address ofcourse will vary. What ever you're bridging to might look something like this:

    Surprising enough, I have a setup a lot like the one you're describing, a PXE install server as a VM on an offline network, with routing setup in IP tables and everything. I took the time to document it all, take a look at my website - click on the 'Building a home lab' link.
    Posted 08-01-2013 at 08:02 AM by roger_heslop roger_heslop is offline
    Updated 08-01-2013 at 08:03 AM by roger_heslop (signature did not show up)
  2. Old Comment
    Thanks for the input also I only skimmed your documentation it seems to follow the same goal I have in mind. Also we have FAI under Debian I like the idea to just kick up some ramdisk only systems for quick testings and specially network test. And also beeing able to hide the laboratory from the eyes of the common people.

    What bothers me about bridges is the best entry point in iptables to control it well enough. But thats low on the list as its working right now .
    Posted 08-23-2013 at 09:55 AM by zhjim zhjim is offline


All times are GMT -5. The time now is 12:43 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration