From: Stefano M. <ste...@op...> - 2006-06-08 14:55:46
|
On Thu, Jun 08, 2006 at 03:22:08PM +0100, robl wrote: Dear Rob,, >=20 > I'm looking for some help/advice on setting up a firewall for my uml host > machine. Specifically, I'm using tuntap and have eth0 listening promisc = with > br0 having the public internet facing ip. I then have tap (0,1,2) interf= aces > for each uml guest. I'd like to firewall the host machine so only > ssh,smtp,http are accessible on the host but not affect the traffic going= to > the UML host machines . Is this possible and does anybody have any examp= le > iptables scripts/hints ? > if you put the UML machines in another subnet, different from the LAN, you don't have direct access to them: you need a gateway that provides the bridge between the LAN and the YUML network. So if you access from inside the network, let's suppose you are working at home, you don't affect your relevant (ssh,smtp,http) traffic. If you, from outside your LAN, would like to access only to the UML network, you need your host to be a gateway for you. I designed my system (host/gateway) in order to swith the relevant traffic on UML: UML instances perform the services and whatever else activity, let's say I would like to write my own doc on a system, in this case I craeted another UML-home system. If I need to work on ordinary machine, I just access to host, then via ssh to them, but they are uin another subnet: just the opposite of what you need, but it is an example as well. Here you can have an example: #!/bin/sh # EXTIF=3D"ppp0" INTIF=3D"eth0" WINTIF=3D"eth1" LAN=3D"10.0.0.0/24" WLAN=3D"10.0.1.0/24" IPTABLES=3D/sbin/iptables TABLES=3D"filter nat" start_gw () { if [ -f /proc/sys/net/ipv4/ip_forward ]; then echo "Activating IPv4 packet forwarding." echo 1 > /proc/sys/net/ipv4/ip_forward fi if [ -f /proc/sys/net/ipv4/ip_dynaddr ]; then echo "Activating IPv4 dynamic address..." echo 1 > /proc/sys/net/ipv4/ip_dynaddr fi # moduli per iptables modprobe iptable_nat modprobe ipt_MASQUERADE echo "Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo "Setting up NAT (Network Address Translation)..." $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # default policies for the main (filter) table echo "Setting up FILTER ..." #$IPTABLES -t filter -P INPUT DROP #$IPTABLES -t filter -P INPUT ACCEPT $IPTABLES -t filter -P OUTPUT ACCEPT #$IPTABLES -t filter -P FORWARD DROP #$IPTABLES -t filter -P FORWARD ACCEPT # allow all traffic for existing connections $IPTABLES -t filter -A FORWARD -m state --state ESTABLISHED,RELATED= \ -j ACCEPT $IPTABLES -t filter -A INPUT -m state --state ESTABLISHED,RELATED \= =20 -j ACCEPT # allow local interface traffic $IPTABLES -t filter -A INPUT -i lo -j ACCEPT # allow connections from hard-wired interface #$IPTABLES -t filter -A INPUT -m physdev --physdev-in eth0 \ # -m state --state NEW -j ACCEPT $IPTABLES -t filter -A INPUT -p tcp --dport 22 -i ppp0 \ -m state --state NEW -j ACCEPT # That is what to do if your UML perform the services task # redirection http/https/smtp request to proper UML destination=20 # Port 25 #$IPTABLES -t nat -A PREROUTING -t nat -p tcp -i ppp0 --dport 25 -j \ # DNAT --to 10.0.0.10:25 # Port 80 #$IPTABLES -t nat -A PREROUTING -t nat -p tcp -i ppp0 --dport 80 -j \ # DNAT --to 10.0.0.20:80 # Port 443 #$IPTABLES -t nat -A PREROUTING -t nat -p tcp -i ppp0 --dport 443 -j \ # DNAT --to 10.0.0.20:443 # That is what to do if your UML DO NOT perform the services task # allow connections to httpd and ssh $IPTABLES -t filter -A INPUT -p tcp --dport 80:443 \ -m state --state NEW -j ACCEPT # allow connections to ssh $IPTABLES -t filter -A INPUT -p tcp --dport 22 \ -m state --state NEW -j ACCEPT # allow connections from local LAN/WLAN # $IPTABLES -t filter -A INPUT -m physdev --physdev-in eth0 \ # -m state --state NEW -j ACCEPT $IPTABLES -t filter -A INPUT -m physdev --physdev-in eth1 \ -m state --state NEW -j ACCEPT # allow connections to smtp/pop3 $IPTABLES -t filter -A INPUT -p tcp --dport pop3 \ -m state --state NEW -j ACCEPT # allow DNS to pass through $IPTABLES -t filter -A FORWARD -p tcp --dport domain -j ACCEPT $IPTABLES -t filter -A FORWARD -p udp --dport domain -j ACCEPT # allow DHCP to pass through # $IPTABLES -t filter -A FORWARD -p udp --dport 67:68 -j ACCEPT # allow LAN requests to pass through $IPTABLES -t filter -A FORWARD -i $INTIF -s $LAN -j ACCEPT $IPTABLES -t filter -A FORWARD -i $WINTIF -s $WLAN -j ACCEPT $IPTABLES -t filter -A FORWARD -i $WINTIF -s $LAN -j ACCEPT # Open323 on PB with 10.0.0.2 # $IPTABLES -t nat -A PREROUTING -p TCP -i $INTIF $EXTIF --dport 1720 # -j DNAT --to-destination 10.0.0.2 # $IPTABLES -t nat -A PREROUTING -p TCP -i $INTIF $EXTIF --dport 522 -j # DNAT --to-destination 10.0.0.2 # $IPTABLES -t nat -A PREROUTING -p TCP -i $INTIF $EXTIF --dport 1503 # -j DNAT --to-destination 10.0.0.2 # $IPTABLES -t nat -A PREROUTING -p TCP -i $INTIF $EXTIF --dport 1731 # -j DNAT --to-destination 10.0.0.2 # forward delle relative porte #iptables -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE --dport 1720 -j AC= CEPT #iptables -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE --dport 552 -j ACC= EPT #iptables -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE --dport 1503 -j AC= CEPT #iptables -A FORWARD -p tcp -i $INET_IFACE -o $LAN_IFACE --dport 1731 -j AC= CEPT # allow proxy # $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j # REDIRECT --to-port 3128 echo "FWD: Allow connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state \ ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE echo "Connection from/to wireless: " $IPTABLES -A FORWARD -i $EXTIF -o $WINTIF -m state \ --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $WINTIF -m state \ --state NEW -j ACCEPT $IPTABLES -A FORWARD -i $WINTIF -o $EXTIF -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $WINTIF -j MASQUERADE # log and drop other incoming traffic $IPTABLES -t filter -A INPUT -j LOG -m state --state NEW \ --log-level info --log-prefix "Input New: " $IPTABLES -A FORWARD -j LOG --log-prefix "Forwarding: " \ --log-level info $IPTABLES -t nat -A POSTROUTING -j LOG --log-prefix "IPTABLES NAT:"= \ --log-level info } stop_gw () { echo -e "\nFlushing firewall and setting default policies to DROP\n" #$IPTABLES -P INPUT DROP $IPTABLES -F INPUT #$IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT #$IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD # flush everything for table in $TABLES do $IPTABLES -t $table -F $IPTABLES -t $table -X done # Delete all User-specified chains $IPTABLES -X # # Reset all IPTABLES counters $IPTABLES -Z } case "$1" in start) start_gw ;; stop) stop_gw ;; restart) $0 stop $0 start ;; status) $IPTABLES -L ;; mlist) cat /proc/net/ip_conntrack ;; *) echo "Usage: gw.sh {start|stop|restart|status|mlist}" exit 1 ;; esac exit 0 --=20 Stefano Melchior, GPG key =3D D52DF829 - <ste...@op...> http://etinarcadiaego.dyndns.org -- http://www.stex.name Skype ID "stefanomelchior" |