I am (very carefully) thinking of opening one of my VMs (all on KVM) to outside access. Currently, only via cloudflared tunnel, but it could change. For that, I need a way to definitely and securely block access from that specific VM to any and all hosts on the private network, just in case someone breaks in and gets root. That specific VM (let’s call it VM10) should only have access to the gateway, and from there to the Internet. At the same time, I want to be able to access that specific VM from an IP on the private network(s) for maintenance, backup, and further development. I am using bridges.
VM10 is connected via br1 and br2.
Br1 connects to the Internet. Br2 is a high speed private network.
On VM10, eth0 connects to br1 with IP 192.168.1.10 ; eth2 connects to br2 with IP 192.168.222.10
Anyone logged into VM10, even with root access, should only be able to reach 192.168.1.1, and the Internet beyond. Anyone logged into VM10, even with root access, should not be able to reach anything at all via eth2. Preferably, eth2 should not even show up when on is logged into VM10.
I do not want to do that with a firewall rule on VM10, because if someone gets root on VM10, the firewall will be down in seconds.
I do not want to do it with firewall rules in boxes on the private networks, because it is a hassle, an easily overlooked. I want to stick something into the XML of VM10, and be done with it.
For VM10:
- Allow ingress and egress to/from 192.168.1.1 and the Internet.
- Disallow egress to any other ips on br1. Allow ingress.
- Disallow egress to all ips on br2. Allow ingress.
- Do this in a way so that it cannot be changed by a root user logged into VM10
I think libvirt's network filters can do that, but I am afraid their documentation is too dense a subject for my old head.
Could a kind soul help out? Possibly, with a complete rule?
Thank you.
