Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


In this Discussion

A bit of iptables help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

A bit of iptables help

deadbeefdeadbeef Member
edited June 2016 in Help

Hey gals and guys,

I have a set of VMs on 10.0.0.0/27 and I give them access to the Internet with this rule:

iptables -t nat -A POSTROUTING -j MASQUERADE

which works fine.

The problem is that I want a specific one (say .4) (static IPs everywhere) to NOT have Internet access but still have LAN access and communicate with the host.

I found that an alternative invokation to the one I have been using would be:

iptables -t nat -A POSTROUTING -s 10.0.0.0/255.255.255.0 -j MASQUERADE

but is there a way to exclude this specific VM?

Or, as another alternative, is the a command to manually allow masquerading for specific IPs only (and thus excluding .4 by simply not adding a rule for it)?

Edit: Host is XenServer, if it makes any difference (e.g. in respect to the RH-Firewall-* rules it has by default).

Thank you!!!!

Comments

  • JacobJacob Member

    The above rule is correct, stick with it and add another rule to block access to .4

    IPTables rules are evaluated top to bottom so the above rule will override those below.

    Get me? :)

    @deadbeef said:

    Thanked by 1deadbeef
  • @Jacob said:

    Sounds good! How do I block the masquerading for a single IP though?

  • JacobJacob Member
    edited June 2016

    This should work..

    iptables -I FORWARD -s 10.0.0.4/32 -j DROP

    Edit: it may work, it may not.. we'll see.

    @deadbeef said:

    @Jacob said:

    Sounds good! How do I block the masquerading for a single IP though?

  • @Jacob said:
    This should work..

    iptables -I FORWARD -s 10.0.0.4/32 -j DROP

    Edit: it may work, it may not.. we'll see.

    Thanks, will test and update!

    Thanked by 1Jacob
  • deadbeefdeadbeef Member
    edited June 2016

    @Jacob said:

    The good news:

    I can ping the VM from the host and SSH into it. And it does not have Internet access indeed.

    The bad news:

    Later on my script I have this:
    iptables -I RH-Firewall-1-INPUT 3 -p tcp --dport 2500 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 2500 -j DNAT --to-destination 10.0.0.4:2500
    iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.4 --dport 2500 -j SNAT --to-source xxx.xxx.xxx.xxx

    These rules were letting me SSH from my home to the VM by ssh user@host -p2500 and also tunnel access to its services (ssh socks). Is there any way to allow this to keep happening?

    Edit: There is also another problem. I am running SoftEther in that VM as a "center" hub and with this rule, the "edge" hub fails to connect. I had tested without any masquerading and the L2 Lan-to-Lan was working. So this rule is overly restrictive for my use but I have no idea even where to begin to "punch holes" to it.

    Thanked by 1Jacob
  • JacobJacob Member

    Can you put the rules before the 'iptables -I FORWARD -s 10.0.0.4/32 -j DROP'?

    @deadbeef said:

    Thanked by 1deadbeef
  • deadbeefdeadbeef Member
    edited June 2016

    @Jacob said:
    Can you put the rules before the 'iptables -I FORWARD -s 10.0.0.4/32 -j DROP'?

    Same thing :( I use the usual -F , -t nat -F, -X at the top to reset so I don't think it's because of any artifact from the previous run.

    I just had an idea - create another tap interface on the host with 10.88.0.0, masquarade all of it and have all my other VMs there. Is it reasonable or am I talking utter nonsense (networking is not a skill I possess)?

  • JacobJacob Member

    No, it will work as your VMs with outside access will be isolated and have a masquerade rule, .4 won't.

    Can you try putting this rule 'iptables -I FORWARD -p tcp --dport 2500 -s 10.0.0.4/32 -j ACCEPT' before 'iptables -I FORWARD -s 10.0.0.4/32 -j DROP'.

    Flush all rule tables prior to testing though :)

    @deadbeef said:

    @Jacob said:
    Can you put the rules before the 'iptables -I FORWARD -s 10.0.0.4/32 -j DROP'?

    Same thing :( I use the usual -F , -t nat -F, -X at the top to reset so I don't think it's because of any artifact from the previous run.

    I just had an idea - create another tap interface on the host with 10.88.0.0, masquarade all of it and have all my other VMs there. Is it reasonable or am I talking utter nonsense (networking is not a skill I possess)?

    Thanked by 1deadbeef
  • deadbeefdeadbeef Member
    edited June 2016

    @Jacob said:
    Can you try putting this rule 'iptables -I FORWARD -p tcp --dport 2500 -s 10.0.0.4/32 -j ACCEPT' before 'iptables -I FORWARD -s 10.0.0.4/32 -j DROP'.

    Unfortunately, it didn't work.

    No, it will work as your VMs with outside access will be isolated and have a masquerade rule, .4 won't.

    Awesome! This is will solve my use case. Thank you very very very much for talking the time to help! If there is anything web programming related I can ever assist you with, just let me know!

    Thanked by 1Jacob
Sign In or Register to comment.