My goal is to make an NFS share from TrueNAS SCALE to a VM Guest only, and block LAN access to the NFS share. Basically I don't want the data to leave the TrueNAS device. What are my options (besides using encryption or Kerberos, which I think is overkill in this case)?
I've followed the Accessing NAS From a VM instructions to setup a bridge interface and can mount the NFS share on the guest. The bridge interface is attached to the VM Guest NIC and is assigned 192.168.1.19 via DHCP (I made a DHCP reservation for it in my router). When configuring the NFS share I can choose to add 192.168.1.19 to "Authorized Hosts and IP addresses". So far so good.
My problem with this setup is that any LAN device with the same ip address as my Guest VM could access the NFS Share. I verifed this by running Kali linux inside VirtualBox on my MacBook (with the same MAC address and IP address as my Guest VM).
Could I fix this by making a private bridge network interface, which isn't assigned a physical interface? If yes, please explain me how to set it up :) I tried assigning an ip address to the private bridge interface via the TrueNAS GUI, but still didn't have an ip address on the VM Guest.
Given my current setup I was thinking I may block LAN access to the NFS share using iptables. This rule seems to block incoming requests from Kali. It can no longer ping the TrueNAS host and the VM Guest still can access the NFS share.
Using this iptables rule doesn't feel very safe though. Any alternatives or suggestions?
I've followed the Accessing NAS From a VM instructions to setup a bridge interface and can mount the NFS share on the guest. The bridge interface is attached to the VM Guest NIC and is assigned 192.168.1.19 via DHCP (I made a DHCP reservation for it in my router). When configuring the NFS share I can choose to add 192.168.1.19 to "Authorized Hosts and IP addresses". So far so good.
My problem with this setup is that any LAN device with the same ip address as my Guest VM could access the NFS Share. I verifed this by running Kali linux inside VirtualBox on my MacBook (with the same MAC address and IP address as my Guest VM).
Could I fix this by making a private bridge network interface, which isn't assigned a physical interface? If yes, please explain me how to set it up :) I tried assigning an ip address to the private bridge interface via the TrueNAS GUI, but still didn't have an ip address on the VM Guest.
Given my current setup I was thinking I may block LAN access to the NFS share using iptables. This rule seems to block incoming requests from Kali. It can no longer ping the TrueNAS host and the VM Guest still can access the NFS share.
Code:
iptables -A INPUT -m physdev --physdev-in eno1 -s 192.168.1.19 -j DROP
Using this iptables rule doesn't feel very safe though. Any alternatives or suggestions?