[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables, virtualbox and port forwarding

Maybe something like this?


- Kernel config

# sysctl -p
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 20
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0


- Network interfaces config

# This is the host interface
auto eth0
allow hot-plug eth0
iface eth0 inet static
  address 172.20.14.121
  netmask 255.255.255.0
  network 172.20.14.0
  broadcast 192.168.0.255
  gateway 172.20.14.1
  dns-nameservers 172.20.14.1 8.8.8.8
  search virtual.local

auto virbr1
iface virbr1 inet static
  address 192.168.100.1
  netmask 255.255.255.0
  bridge_ports eth0
  bridge_fd 0
  bridge_stp off
  bridge_maxwait 0


- Firewall simple config

# Set Default Policy to DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Allow loopback and localhost access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

# Defense for SYN flood attacks
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

# Set Default Connection States - accept all already established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open DHCP and DNS for virbr1
iptables -A INPUT -p udp -m multiport --dports 67:68 -i virbr1 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 67:68 -i virbr1 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 53 -i virbr1 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -i virbr1 -m state --state NEW -j ACCEPT

# Masquerade
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE

# Forward chain
iptables -A FORWARD -i eth0 -o virbr1 -d 192.168.100.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i virbr1 -o eth0 -s 192.168.100.0/24 -j ACCEPT
iptables -A FORWARD -i virbr1 -o virbr1 -j ACCEPT


Now you can create VM's with their own virtual devices, ie vmdev0, vmdev1 etc, and simply add those devices to the virbr1. Then
each of the VM's would have static config of their eth0 interface with ip of 192.168.100.0/24 range and 192.168.100.1 as default
gateway.

If you want to have the VM's get their ip via DHCP then you can install dnsmasq and attach a process to virbr1. Something like
this:

/usr/sbin/dnsmasq -u dnsmasq --strict-order --bind-interfaces \
--pid-file=/var/run/dnsmasq/virbr1.pid --conf-file= \
--except-interface lo --listen-address 192.168.100.1 \
--dhcp-range 192.168.100.10,192.168.100.20 \
--dhcp-leasefile=/var/run/dnsmasq/virbr1.leases \
--dhcp-lease-max=11 --dhcp-no-override


The purpose of the VLAN you have created is not clear as they are usually used to extend a virtual network to more than one host. You will need 802.1Q kernel module enabled and 802.1Q VLAN enabled switch(s) in your network for this to work. Anyway, you can try adding the VLAN in the above configuration as an exercise, ie attach the vlan to eth0 and then include the vlan in the virbr1.

Cheers,
Igor



On Wed, May 28, 2014 at 2:24 AM, <berenger.morel@neutralite.org> wrote:
Hello list.

I am trying to build a virtual network exposing servers accessible from the LAN.
I have done a lot of searches on the web and it worked last week, but since then, I have restarted my computer and had the nice surprise to learn that the iptables command does not save it's configuration.
I tried to retrieve my configuration, but am failing ( I tried to understand what I did with the history command, but sadly I am always working with tons of terminals and so, I suspect that it is not the correct history... ), and same to find anew the articles which actually make things working.

I had some network knowledge in the past, but never really practiced it, so I have lost almost everything. I already have used some firewalls, but those were some Windows ones ( I was not a linux user at that time ) and so I have never played  with iptables.

So I ask for 2 things:
_ help on this particular problem
_ if someone knows about resources to learn and understand how exactly iptables work, this would help me a lot in the future

For my particular problem.

I have an eth0 interface, the real one, on ip 172.20.14.0/24.
I made a vlan in my /etc/network/interfaces, like this:
##############################
auto eth0.1
iface eth0.1 inet static
        address 10.10.10.1
        netmask 255.255.255.0
        vlan-raw-device eth0
##############################

On that network, I have some VMs with static IPs, and the one on which I try to make the configuration for testing and learning purpose have an apache2 server running and up ( I can query on it from my physical computer ). It is using 2 network interfaces, a NAT one and a bridge one, but for others I would like to remove the NAT one, since I need them to simulate the production servers ( which are VMs too, but my company does not control the system on which they are running. Otherwise it would have be far easier: I would have read how it does to understand things ) which only have one interface ( eth0 ).

Both LANs ( the physical one and the virtual one ) works perfectly, but now I would like to allow 2 things:
_ VMs to access the physical LAN, so that they could access the apt proxy I have installed there for installing softwares and updates
_ physical computers accessing VMs through some ports of my computer. For example, redirecting "172.20.14.XX:80" to "10.10.10.30:80". I will do that port forwarding for ssh ( port 22 ), http ( port 80 ) and postgresql ( port 5432 ) connections in a first time.

Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] fa67f2d6171898de5d691a72d177173e@neutralite.org" target="_blank">https://lists.debian.org/fa67f2d6171898de5d691a72d177173e@neutralite.org


Reply to: