All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
A bit of iptables help
Hey gals and guys,
I have a set of VMs on 10.0.0.0/27 and I give them access to the Internet with this rule:
iptables -t nat -A POSTROUTING -j MASQUERADE
which works fine.
The problem is that I want a specific one (say .4) (static IPs everywhere) to NOT have Internet access but still have LAN access and communicate with the host.
I found that an alternative invokation to the one I have been using would be:
iptables -t nat -A POSTROUTING -s 10.0.0.0/255.255.255.0 -j MASQUERADE
but is there a way to exclude this specific VM?
Or, as another alternative, is the a command to manually allow masquerading for specific IPs only (and thus excluding .4 by simply not adding a rule for it)?
Edit: Host is XenServer, if it makes any difference (e.g. in respect to the RH-Firewall-* rules it has by default).
Thank you!!!!
Comments
The above rule is correct, stick with it and add another rule to block access to .4
IPTables rules are evaluated top to bottom so the above rule will override those below.
Get me?
Sounds good! How do I block the masquerading for a single IP though?
This should work..
iptables -I FORWARD -s 10.0.0.4/32 -j DROP
Edit: it may work, it may not.. we'll see.
Thanks, will test and update!
The good news:
I can ping the VM from the host and SSH into it. And it does not have Internet access indeed.
The bad news:
Later on my script I have this:
iptables -I RH-Firewall-1-INPUT 3 -p tcp --dport 2500 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 2500 -j DNAT --to-destination 10.0.0.4:2500
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.4 --dport 2500 -j SNAT --to-source xxx.xxx.xxx.xxx
These rules were letting me SSH from my home to the VM by
ssh user@host -p2500
and also tunnel access to its services (ssh socks). Is there any way to allow this to keep happening?Edit: There is also another problem. I am running SoftEther in that VM as a "center" hub and with this rule, the "edge" hub fails to connect. I had tested without any masquerading and the L2 Lan-to-Lan was working. So this rule is overly restrictive for my use but I have no idea even where to begin to "punch holes" to it.
Can you put the rules before the 'iptables -I FORWARD -s 10.0.0.4/32 -j DROP'?
Same thing I use the usual
-F
,-t nat -F
,-X
at the top to reset so I don't think it's because of any artifact from the previous run.I just had an idea - create another tap interface on the host with 10.88.0.0, masquarade all of it and have all my other VMs there. Is it reasonable or am I talking utter nonsense (networking is not a skill I possess)?
No, it will work as your VMs with outside access will be isolated and have a masquerade rule, .4 won't.
Can you try putting this rule 'iptables -I FORWARD -p tcp --dport 2500 -s 10.0.0.4/32 -j ACCEPT' before 'iptables -I FORWARD -s 10.0.0.4/32 -j DROP'.
Flush all rule tables prior to testing though
Unfortunately, it didn't work.
Awesome! This is will solve my use case. Thank you very very very much for talking the time to help! If there is anything web programming related I can ever assist you with, just let me know!