[Firewall] System Virtuallization: Help forwarding a physical device to a bridge securely

James Applebaum james at electricbluefish.com
Tue Jan 13 01:59:57 CET 2009

Long time user of this script... need some advice securing the host of  
a virtualized system.

The Setup
I have setup a new server (aka: host) that I am running multiple  
virtualized systems (aka: guests).
I have two physical NIC devices in the host:
eth0 (wan) & eth1 (lan)

I have created a bridge for each device labeled:
external (bridges to eth0) and internal (bridges to eth1)

The host system connect to both bridges and they both need to be up to  
work for the guests.
The host only needs to be accessible via the internal bridge.

The guest systems for the most part are easy to deal with as they are  
file servers and only will have physical access to the internal bridge.
Additionally all guests are running firewalls and  Arno-script.

One of the guests setup is to be a router & proxy etc. for the domain.
AKA: both the internal and external bridge are used (obviously) and  
will be NAT for the lan traffic.... again, trivial to setup with the  

My Problem/ Issue is:
If I firewall the host system AKA: EXT_IF="external eth0" ... then the  
guest cannot access the external bridge and never resolves the device.  
Spent many hours trying to figure out why I could not connect to the  
device or, in-fact, even see it before I realized that the firewall  
was preventing the connection (thought it was SeLinux or hardware  
failure, or a KVM configuration thing that I did not understand).
I am assuming the firewall is working as designed, I just did not  
understand/anticipated the effect it would have to a bridged device.

How can I address this in the script? or do I need to add a custom  
rule like:

iptables -I FORWARD -m external --external-is-bridged -j ACCEPT
And if so will the host system be secure?

Comments and help will be most appreciated.

More information about the Firewall mailing list