I am running Core base in a qemu guest.
I have sshd installed in the guest-vm & am considering setting PasswordAuthentication & PermitEmptyPasswords to 'yes'.
I keep the Guest isolated (as much as I know how to).
But would like some feedback whether I'm overlooking something.
Here is the network layout:
public-internet
|
rinky-dink-home-router
|
|
192.168.1.0/24----(qemuHost).1------192.168.175.0/30------.2(qemuGuest)
[......the-for-realz-world..][...............the-vm-world..............]
Here's how I keep the Guest isolated:
On the Guest: there is no route pointed across the interface (eth0) leading to the qemu-Host.
tc@box:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
127.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 lo
192.168.175.0 0.0.0.0 255.255.255.252 U 0 0 0 eth0
Also on the Guest, iptables permits only communication to/from the qemu-Host:
tc@box:~$ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -s 192.168.175.1/32 -d 192.168.175.2/32 -i eth0 -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
-A OUTPUT -s 192.168.175.2/32 -d 192.168.175.1/32 -o eth0 -j ACCEPT
On the Host:
- iptables permits only packets source & destined within 192.168.175.0/30 to be input or output on the interface leading to the qemu-Guest.
- iptables drops all on Forward chain.
- ip masquerading is not enabled.
- ip packet forwarding is not enabled (no routing function on the host).
In fact I don't have any of this set up automatically, I manually config tap intf & update iptables both on Host & Guest when I need to run the emulation. However I could one day make a mistake & maybe expose the Guest.
I am using the 'hostfw' function of qemu, in that any connection made to a tcp port on the host, is redirected to a port on the guest.
My question is, am I missing anything in keeping the Guest isolated? Do I already have a hole somewhere?
I am not a security type so thx for reading this far.
Welcome
FAQ
Downloads
Wiki
