I have a server running debian connected to LAN using eth0 port. On the same system I also have two virtual machines running on KVM. These two virtual machines use bridge networking with eth0. Now if under debian I filter out/drop certain packets via iptables those packets will be dropped for debian only, or debian and both kvm's?

Question is, because I have ssh on debian, and www + mail on KVM, and would like to block certain IPs. I am wondering if it's enough to use iptables, or I have to use different "ban" facilities on different OSes in order to "ban" somebody from all services.

Thanks

iptables on the host will is *able* to affect all traffic going through that box, including all the VM's. If you just make your rules more specific, e.g. include the destination IP / interface of the SSH requests, rather than just port 22, then it's fairly trivial to block traffic to certain machines, including the underlying kvm host itself.

1 members found this post helpful.

Thank you very much! So assuming that on host I have opened port 22 (SSH), and on guest 80 (WWW), if I issue something like this (where x.x.x.x is "bad" pedrson's IP):

then machine/net from IP x.x.x.x will not be able to use BOTH, SSH and WWW. Is that correct?

how iptables is configured affects a lot about how this hangs together. With a bridge interface, you'd be using the FORWARD chain to filter traffic to the guests, and INPUT / OUTPUT for the host. But RHEL and similar systems tend to redirect them all to a dedicated chain, so it depends oh the layout methodology really.