IP restriction

Submitted by nibb on Tue, 05/13/2014 - 20:26

I know this is probably something that Cloudmin can´t do but I may ask anyway. Cloudmin asks you to configure a set of IPs which are used for VM provisioning but how would this work with a real production environment and cloudmin?

I mean, I don´t think Cloudmin can restrict or avoid using IPs which don´t belong to a specific VM, if it could it would have a virtual router like other products have and this is not the case. As far as I know the only secure way to do this is on the hardware switch via VLAN or the cheap way (hetzner) which restricts IPs per MAC address and so avoids using vlans and wasting extra IPs. Since IPs are almost none left, this is actually not a bad idea.

Now, I understand Cloudmin just uses the IP blocks for server configuration and deployment but it seems this is actually risky, since it means one customer could just assign to his VM the IP of another client creating a network conflict and possible outage. So it would be interesting to know how this would actually in a VLAN environment, since then Cloudmin would need to configure different gateway and settings per each deployment.

My point is that it seems Cloudmin lets you specify the IP blocks without even assuming that in a multi tenant setups this is a very possible scenario, customers stealing others IPs and so far I don´t think I read anything that Cloudmin has a limit or implements some check on this, other systems for example Cloudstack usually use a virtual switch for this.

Status: 
Active

Comments

Submitted by JamieCameron on Tue, 05/13/2014 - 22:21

If you are using KVM for your VMs in Cloudmin and have the ebtables command installed on the host system, it will setup firewall rules that prevent misuse of IPs by default. This is done by creating ethernet-level firewall rules on tap interfaces that only allow traffic to or from the IPs that are assigned to each VM.

Submitted by nibb on Wed, 05/14/2014 - 11:27

I see, well that is one idea I may look into.

Submitted by JamieCameron on Wed, 05/14/2014 - 11:52

Note that Cloudmin only implements this for KVM - if you are using Xen (open-source or citrix), those virtualization systems have control over which IPs are assigned to which VMs, and I'm not sure if they limit which IPs can be used.

For OpenVZ and LXC, it is already impossible for a VM to use an IP other than the one it is assigned.