[Solved] Configure iptables to block traffic on Host

parmando · Post by **parmando** » 23. Jul 2009, 20:59

Hello,

I have a Lenny Host running VirtualBox 3.0.2 and a guest running Lenny too.

At the host, I have this network interfaces:

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 100
link/ether 00:1c:c0:05:04:0e brd ff:ff:ff:ff:ff:ff
3: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff

I want to configure an iptables firewall on the host to protect the host server; and other firewall in the guest to protect the guest (if that is the correct way of protecting the guest)

When I put something like this on the host:

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

echo "Acceso SSH"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

nothing is bloqued at the host nor on the guest.

How should I configure iptables on the host to protect it?
Hoy should I configure iptables on the guest to protect it too?

Thanks in advance and sorry for my bad english.
Pablo.

Post by **baf** » 23. Jul 2009, 21:21

What is the output of iptables-save after those commands?

parmando · Post by **parmando** » 23. Jul 2009, 21:30

Here is the output:

# Generated by iptables-save v1.4.2 on Thu Jul 23 16:27:53 2009
*mangle
:PREROUTING ACCEPT [14794:1113662]
:INPUT ACCEPT [8947:580615]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8331:5432967]
:POSTROUTING ACCEPT [8331:5432967]
COMMIT
# Completed on Thu Jul 23 16:27:53 2009
# Generated by iptables-save v1.4.2 on Thu Jul 23 16:27:53 2009
*nat
:PREROUTING ACCEPT [9082:714889]
:POSTROUTING ACCEPT [67:5420]
:OUTPUT ACCEPT [67:5420]
COMMIT
# Completed on Thu Jul 23 16:27:53 2009
# Generated by iptables-save v1.4.2 on Thu Jul 23 16:27:53 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:716]
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Jul 23 16:27:53 2009

Post by **baf** » 23. Jul 2009, 22:21

This rule in the filter chain:

Code: Select all

-A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Means accept all new and previously established connections. So nothing should be dropped.
Try

Code: Select all

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

instead.

parmando · Post by **parmando** » 24. Jul 2009, 21:05

Thank you very much. That was the problem. I have to see with more care next time:(.

virtualbox.org

[Solved] Configure iptables to block traffic on Host

[Solved] Configure iptables to block traffic on Host

Re: Configure iptables to block traffic on Host

Re: Configure iptables to block traffic on Host

Re: Configure iptables to block traffic on Host

Re: Configure iptables to block traffic on Host