Internet IP Firewalling for Kloudust - TekMonksGitHub/kloudust GitHub Wiki
🔒 How to Firewall a VM Routed via a Linux Bridge
These commands must be run on the host which is hosting the Virtual Machine.
Step 1: Load the Kernel Module for Bridge Filtering
Enable br_netfilter to let nftables inspect bridged traffic.
sudo modprobe br_netfilter
Make this persistent across reboots:
echo "br_netfilter" | sudo tee /etc/modules-load.d/br_netfilter.conf
Step 2: Create a New nftables Table
Create a bridge table for bridge-level firewall rules.
sudo nft add table bridge filter
Step 3: Create a Forwarding Chain in the Table
Add a forward chain to manage traffic across the bridge.
sudo nft add chain bridge filter forward { type filter hook forward priority -200\; policy accept\; }
Step 4: Add a Default Counter Rule Count all forwarded traffic (for monitoring).
sudo nft add rule bridge filter forward counter
Step 5: Add a Rule to Drop Traffic to the VM
Replace <ip_to_firewall> with the VM’s IP address. The <port_to_allow> could also be a list of ports separated by commas.
sudo nft add rule bridge filter forward ip daddr <ip_to_firewall> tcp dport != { <port_to_allow> } drop
Step 6: Add a Rule to Drop Traffic from the VM
Allow traffic to IP <ip_to_allow_traffic_to> and drop all other traffic otherwise. <ip_to_allow_traffic_to> could also be a list of IPs separated by commas. Replace <ip_to_firewall> with the VM’s IP address.
sudo nft add rule bridge filter forward ip saadr <ip_to_firewall> ip daddr != { 8.8.8.8 } drop
The following could also be used. The interface vm_b below is the peer of the VM's ethernet plugged into the bridge on the host.
sudo nft add rule bridge filter forward iif "vm_b" ip daddr != { <ip_to_allow_traffic_to> } drop
✅ Recap:
- Loaded kernel module for bridge traffic filtering.
- Created a bridge-level
nftablestable and chain. - Added a drop rule for the VM’s IP address.
- Added a drop rule for outgoing traffic from the VM's IP address.
Reference: https://serverfault.com/questions/858556/transparent-firewall-with-nftables-and-vlans