A
A
Alexander2015-04-21 16:05:05
Debian
Alexander, 2015-04-21 16:05:05

Why does iptables cut all external requests through NAT with this configuration?

There is a virtual machine (router), which has an external ip and looks at the Internet.
All other virtual machines on the hypervisor are connected to the Internet through the router virtual machine, it plays the role of NAT-a.
I used the following rules to make NAT work on the router VM:

*nat
-A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to-source $ipaddr
COMMIT

Everything worked great: internal virtual machines can access the Internet, nginx with a router vm proxies requests to internal virtual machines.
After that, I wanted security, and in one place: on the router vm. I used the default config suggested by the debian documentation , but after I apply it, internal VMs can no longer surf the internet.
I would like to know what I need to allow, so that outgoing requests from virtual machines are allowed outside (any), but incoming ones are cut, with the exception of the ports specified in the exceptions.
Tell me what to read and where to dig about it.
PS I give an example of filter iptables:
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections 
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Answer the question

In order to leave comments, you need to log in

2 answer(s)
D
Dmitry Filimonov, 2015-04-21
@tru3

-A FORWARD -j REJECT
With this rule, you cut all FORWARD traffic. You need to allow FORWARD for the 192.168.0.0/16 network in both directions.
For example, like this:

-A FORWARD -s 192.168.0.0/16 -i ИНТЕРФЕЙС_В_192.168.0.0/16 -j ACCEPT
-A FORWARD -d 192.168.0.0/16 -o ИНТЕРФЕЙС_В_192.168.0.0/16 -j ACCEPT

V
Vladimir, 2015-04-21
@rostel

the problem is in

-A FORWARD -j REJECT

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question