NFS Share to VM Guest but Block LAN Access

[Jip-Hop]

My goal is to make an NFS share from TrueNAS SCALE to a VM Guest only, and block LAN access to the NFS share. Basically I don't want the data to leave the TrueNAS device. What are my options (besides using encryption or Kerberos, which I think is overkill in this case)?

I've followed the Accessing NAS From a VM instructions to setup a bridge interface and can mount the NFS share on the guest. The bridge interface is attached to the VM Guest NIC and is assigned 192.168.1.19 via DHCP (I made a DHCP reservation for it in my router). When configuring the NFS share I can choose to add 192.168.1.19 to "Authorized Hosts and IP addresses". So far so good.

My problem with this setup is that any LAN device with the same ip address as my Guest VM could access the NFS Share. I verifed this by running Kali linux inside VirtualBox on my MacBook (with the same MAC address and IP address as my Guest VM).

Could I fix this by making a private bridge network interface, which isn't assigned a physical interface? If yes, please explain me how to set it up :) I tried assigning an ip address to the private bridge interface via the TrueNAS GUI, but still didn't have an ip address on the VM Guest.

Given my current setup I was thinking I may block LAN access to the NFS share using iptables. This rule seems to block incoming requests from Kali. It can no longer ping the TrueNAS host and the VM Guest still can access the NFS share.

Code:

iptables -A INPUT -m physdev --physdev-in eno1 -s 192.168.1.19 -j DROP

Using this iptables rule doesn't feel very safe though. Any alternatives or suggestions?

 

[ClassicGOD]

Create new bridge without any members and with one ip alias (it has to be in a different subnet that your main connection - this will be an IP of your nas on this bridge)
Add the bridge as a new NIC to your VM
Manually set IP on that NIC in your VM to IP in the same subnet as the bridge IP of your nas.
You should now have communication between your NAS and VM over this bridge.
Bind NFS service to the bridge IP of your NAS so it's only accessible over the bridge connection.

 

[Jip-Hop]

Thanks a lot for replying @ClassicGOD :)

I thought I tried that already without success, but because of to your advice I tried again and got it working now! Except, binding the NFS service to the bridge IP of my NAS doesn't seem to be sufficient to make the share only accessible over the bridge connection.

In TrueNAS GUI I've set the NFS Bind IP Addresses value to 10.0.0.1.

"Help: Bind IP Addresses. Select IP addresses to listen to for NFS requests. Leave empty for NFS to listen to all available addresses."

On the NAS I have 3 network interfaces:

br0 192.168.1.18/24
eno1
br1 10.0.0.1/24

To the VM Guest I have attached 2 NIC interfaces, one with br0 (for LAN and internet access from the VM) and the other with br1, just to access NFS from the host.

Inside the VM Guest I ran `sudo ip addr add 10.0.0.2/24 dev ens4`. I can ping the host at 10.0.0.1 and mount the NFS share, great!

But from Kali Linux on my LAN, with IP 192.168.1.19, I can do the following:

┌──(kali㉿kali)-[~]
└─$ sudo route add -net 10.0.0.1 netmask 255.255.255.255 gw 192.168.1.18
┌──(kali㉿kali)-[~]
└─$ sudo mount 10.0.0.1:/mnt/Test/nfs/data /home/kali/nfs

Which now also mounts the NFS share (but it shouldn't)!

So I think it's important to configure the Authorized Hosts and IP addresses for the NFS share itself, instead of (or in addition to) binding the IP Addresses of the NFS service. After adding 10.0.0.2, trying to mount from Kali will result in `mount.nfs: access denied by server while mounting 0.0.0.1:/mnt/Test/nfs/data` while the VM Guest can still access the NFS share.

If anyone knows a better way to restrict the NFS share to just VM Guests than I'd be happy to hear your suggestions :)

 

[Jip-Hop]

I'm currently using an alternative setup to isolate NFS shares from the host to my VM. This approach could also be relevant in general for users who want to access TrueNAS from a VM.

The key to this approach is to add a second NIC to the VM, which is only for communication with the TrueNAS host system. The first NIC of the VM will be directly attached to your physical network interface. This will create a macvtap interface when the VM is running. It will have access to your LAN, but not to the TrueNAS host. To the second NIC you should attach a bridge interface.

Create this bridge interface first, in the TrueNAS Network settings. Don't attach any interface as Bridge Members when setting up this bridge. Do assign an ip address which is different from the subnet of your physical interface. So if for example your eno1 physical interface has ip address 192.168.1.2, then assign 192.168.200.1/24 to the br0 interface when creating it. As mentioned, assign this bridge to the second NIC of your VM.

You can assign the br0 bridge interface to all your VMs which need to access the TrueNAS host. Make sure to manually assign ip addresses to these VMs (from within the VM) to an ip address within the subnet you assigned to the bridge interface (so for example 192.168.200.2). They won't automatically get one via DHCP.

Your VMs can now reach TrueNAS at 192.168.200.1 (so not via 192.168.1.2, the ip address all other LAN clients would reach it at). This makes it trivial to restrict services, such as NFS shares, to VM guest only since they reside in a different subnet as the LAN clients.

 

[Jip-Hop]

I also posted step by step instructions for this dual NIC setup.