Page 1 of 1
Blocking access to the outside from cloud interfaces
Posted: Thu Aug 03, 2017 10:34 pm
by networkaddict
I would like to stop the devices in my Eve server from potentially being able to contact the outside world. I have two friends who use my server, and I don't want them to accidentally interact with the gear in my home network (managed Cisco router and switches.)
How can I prevent bridging to the server NIC, while still allowing HTTP access to management, and also allowing INTERNAL host communication through cloud objects (say for communicating between two separate labs?)
Thank you!
Re: Blocking access to the outside from cloud interfaces
Posted: Fri Aug 04, 2017 7:25 am
by ramindia
networkaddict wrote: ↑Thu Aug 03, 2017 10:34 pm
I would like to stop the devices in my Eve server from potentially being able to contact the outside world. I have two friends who use my server, and I don't want them to accidentally interact with the gear in my home network (managed Cisco router and switches.)
How can I prevent bridging to the server NIC, while still allowing HTTP access to management, and also allowing INTERNAL host communication through cloud objects (say for communicating between two separate labs?)
Thank you!
you can use iptables in Linux to block, or you have FW in the edge block it.
R!
Re: Blocking access to the outside from cloud interfaces
Posted: Fri Aug 04, 2017 7:40 am
by Uldis (UD)
The best of course would be dedicate special subnet for EVE use, beside your home LAN.
How these guys accessing to your server? From Internet??
UD
Re: Blocking access to the outside from cloud interfaces
Posted: Fri Aug 04, 2017 2:17 pm
by networkaddict
No, they're my room mates. They access it from the home LAN. I can carve a new subnet if I need to, but I was hoping there was a way to disable the bridging instead. Is the traffic only bridged out of the host over the pnet1 interface? pnet0 for management, pnet1 for bridging out to the real world, and the rest of the pnet interfaces for internal host communication?
Re: Blocking access to the outside from cloud interfaces
Posted: Fri Aug 04, 2017 4:12 pm
by Uldis (UD)
you can leave only management first interface mapped for access to eve.
same time it can be disabled for internet or isolated from home lan..
UD
Re: Blocking access to the outside from cloud interfaces
Posted: Mon Aug 07, 2017 3:08 pm
by networkaddict
Uldis, thanks for the reply.
Forgive me for being a bit dense, but I'm not quite understanding what you mean. What I want is to make it so that pnet0 is completely inaccessible from inside labs. I don't want to be able to create a Cloud interface linked to pnet0 AT ALL. I tried digging through the various PHP files, but could not find the exact function that creates the cloud objects (I was just going to comment it out and see if that worked.) . Do you have any suggestions for me?
Thanks again for all the hard work you guys do, we all appreciate it!
Re: Blocking access to the outside from cloud interfaces
Posted: Mon Aug 07, 2017 4:26 pm
by ecze
Hack is possible ....
in /opt/unetlab/html/includes/functions.php line 614
replace pnet[0-9] with pnet[1-9]
Code: Select all
/**
* Function to list all available network types.
*
* @return Array The list of network types
*/
function listNetworkTypes() {
$results = Array();
$results['bridge'] = 'bridge';
$results['ovs'] = 'ovs';
// Listing pnet interfaces
foreach (scandir('/sys/devices/virtual/net') as $interface) {
if (preg_match('/^pnet[0-9]+$/', $interface)) {
$results[$interface] = $interface;
}
}
return $results;
}
Each update will overwritten your hack.....
E.