KVM Problem - Professionals needed please!
by anton-venko from LinuxQuestions.org on (#5RF81)
OS: Debian Bullseye
VPN: OpenVPN 2.5 - (redirect-gateway def1)
Virtualization: KVM - qemu/libvirt latest version
Using Whonix for KVM
Issue:
When starting qemu's default network, it automatically implements iptable rules allowing all libvirt on OUTPUT, FORWARD, INPUT chain anywhere on eno1 and FWD 192.168.122
Code: -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
OUTPUT Chain
LIBVIRT_OUT all -- anywhere anywhere
FORWARD Chain
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
INPUT Chain
LIBVIRT_INP all -- anywhere anywhere
This means that in case the VPN disconnects, Whonix traffic would continue over eno1.
It forces me to use VPN-Firewall or similar solutions, to achieve Fail-Closed.
Desired Behavior:
I would like the Gateway to specifically NAT through tun0 instead of eno1, so that a simple ufw rule only allowing out on tun0 would be enough to cut off all traffic in case the VPN drops.
This works *out of the box* with Virtualbox, but I really want to use KVM, if it can be done somehow.
My failed attempts:
Including the following in the external network xml
Code:
<interface dev='tun0'/>
<forward dev='tun0>
Changing iptable rules to drop all packets between eno1/virbrX in FORWARD chain and only allowing tun0.
This simply breaks the entire network without the ability to ping from either the Gateway or the Workstation.
Any ideas?
VPN: OpenVPN 2.5 - (redirect-gateway def1)
Virtualization: KVM - qemu/libvirt latest version
Using Whonix for KVM
Issue:
When starting qemu's default network, it automatically implements iptable rules allowing all libvirt on OUTPUT, FORWARD, INPUT chain anywhere on eno1 and FWD 192.168.122
Code: -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
OUTPUT Chain
LIBVIRT_OUT all -- anywhere anywhere
FORWARD Chain
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
INPUT Chain
LIBVIRT_INP all -- anywhere anywhere
This means that in case the VPN disconnects, Whonix traffic would continue over eno1.
It forces me to use VPN-Firewall or similar solutions, to achieve Fail-Closed.
Desired Behavior:
I would like the Gateway to specifically NAT through tun0 instead of eno1, so that a simple ufw rule only allowing out on tun0 would be enough to cut off all traffic in case the VPN drops.
This works *out of the box* with Virtualbox, but I really want to use KVM, if it can be done somehow.
My failed attempts:
Including the following in the external network xml
Code:
<interface dev='tun0'/>
<forward dev='tun0>
Changing iptable rules to drop all packets between eno1/virbrX in FORWARD chain and only allowing tun0.
This simply breaks the entire network without the ability to ping from either the Gateway or the Workstation.
Any ideas?