I was perusing the interweb a few days ago and I stumbled across an interesting statement. (I don’t have the link anymore.). The gist was, you could bridge VMWare Guest NIC to a host adapter that has no IP address. The security implications are what caught my attention. So I started digging a little further and I found it was true and then I managed to work a little bit of magic to make it happen!
Here is the scenario..
ServerLAN is an Ubuntu Server host running VMWare Server. 2 physical NICs bound to 2 bridged networks. NIC1 is attached to the private LAN, NIC 2 is attached to the DMZ. These networks are isolated by a firewall.
ServerDMZ is an Ubuntu Server guest Virtual Machine. 1 Virtual NIC
The idea is to isolate ServerDMZ from the private network and ServerLAN from the DMZ.
I had all of this working with a public IP on the ServerDMZ virtual NIC, DMZ private IP on NIC 2, and the LAN Private IP on NIC1. The problem with this setup is, my host was accessible from the DMZ. With proper blocking.. namely drop all traffic to and from that interface, it wasn’t much of a concern. But the IP was still there. So I did a little Ubunutu /etc/network/interfaces magic.
mapping eth0 eth1
script /etc/network/get-mac-address.sh
map 01:23:45:67:89:01 NIC1
map AB:CD:EF:GH:IJ:KL NIC2
iface lo inet loopback
iface NIC1 inet static
address 192.168.1.2
broadcast 192.168.1.255
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
metric 100
iface NIC2 inet manual
up ifconfig $IFACE up
down ifconfig $IFACE down
To break this down..
mapping eth0 eth1
script /etc/network/get-mac-address.sh
map 01:23:45:67:89:01 NIC1
map AB:CD:EF:GH:IJ:KL NIC2
This section is protection verses kernel updates causing my NICs from being brought up in a different order. The script get-mac-address.sh basically greps the interface for the MAC and then assigns the label NIC1 or NIC2 depending on the MAC returned.
iface lo inet loopback
This brings up the loopback interface.
iface NIC1 inet static
address 192.168.1.2
broadcast 192.168.1.255
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
metric 100
This brings up my private network NIC. Does all of the necessary mappings.
Side Note:If you have two NICs with gateways listed, you can supply the metric line to give one a priority. If they are the same, your system will be unable to decide which route to take and take none.
iface NIC2 inet manual
up ifconfig $IFACE up
down ifconfig $IFACE down
This final section is how you bring up the interface with out an IP address. It also allows you to set permiscious mode, etc.
Instructions for the interfaces file can be found file:///usr/share/doc/ifupdown as well as the get-mac-address.sh script from the examples sub-folder.