Blocking access to the outside from cloud interfaces

[networkaddict]

I would like to stop the devices in my Eve server from potentially being able to contact the outside world. I have two friends who use my server, and I don't want them to accidentally interact with the gear in my home network (managed Cisco router and switches.)

How can I prevent bridging to the server NIC, while still allowing HTTP access to management, and also allowing INTERNAL host communication through cloud objects (say for communicating between two separate labs?)

Thank you!

[ramindia]

I would like to stop the devices in my Eve server from potentially being able to contact the outside world. I have two friends who use my server, and I don't want them to accidentally interact with the gear in my home network (managed Cisco router and switches.)

How can I prevent bridging to the server NIC, while still allowing HTTP access to management, and also allowing INTERNAL host communication through cloud objects (say for communicating between two separate labs?)

Thank you!

you can use iptables in Linux to block, or you have FW in the edge block it.

R!

[Uldis (UD)]

The best of course would be dedicate special subnet for EVE use, beside your home LAN.

How these guys accessing to your server? From Internet??


UD

[networkaddict]

No, they're my room mates. They access it from the home LAN. I can carve a new subnet if I need to, but I was hoping there was a way to disable the bridging instead. Is the traffic only bridged out of the host over the pnet1 interface? pnet0 for management, pnet1 for bridging out to the real world, and the rest of the pnet interfaces for internal host communication?

[Uldis (UD)]

you can leave only management first interface mapped for access to eve.
same time it can be disabled for internet or isolated from home lan..

UD

[networkaddict]

Uldis, thanks for the reply.

Forgive me for being a bit dense, but I'm not quite understanding what you mean. What I want is to make it so that pnet0 is completely inaccessible from inside labs. I don't want to be able to create a Cloud interface linked to pnet0 AT ALL. I tried digging through the various PHP files, but could not find the exact function that creates the cloud objects (I was just going to comment it out and see if that worked.) . Do you have any suggestions for me?

Thanks again for all the hard work you guys do, we all appreciate it!

[ecze]

Hack is possible ....

in /opt/unetlab/html/includes/functions.php line 614

replace pnet[0-9] with pnet[1-9]

Code: Select all

/**
 * Function to list all available network types.
 *
 * @return      Array                                           The list of network types
 */
function listNetworkTypes() {
        $results = Array();
        $results['bridge'] = 'bridge';
        $results['ovs'] = 'ovs';

        // Listing pnet interfaces
        foreach (scandir('/sys/devices/virtual/net') as $interface) {
                if (preg_match('/^pnet[0-9]+$/', $interface)) {
                        $results[$interface] = $interface;
                }
        }

        return $results;
}

Each update will overwritten your hack.....

E.