Author
Message
roland90 DD-WRT User Joined: 22 Oct 2015 Posts: 123
Posted: Mon May 20, 2019 23:00 Post subject: How can I block my VM to access my internal network
I am using a VMware VM with bridged interface, with static IP address.
(VM IP address: 192.168.1.14/24
vm name: virtgep
internal network: 192.168.1.0/24)
I would like to block access to my network from the VM.
Later, allow only the port 80,443 for internet access.
Using the following rules:
Code: iptables -I FORWARD -s 192.168.1.14 -d 192.168.1.0/24 -m state --state NEW,ESTABLISHED,RELATED -j DROP
iptables -A INPUT -p tcp --dport 21429 -j logaccept
iptables -A FORWARD --source 10.20.30.0/24 -j logaccept
iptables -A FORWARD -i br0 -o tun0 -j logaccept
iptables -A FORWARD -i tun0 -o br0 -j logaccept
iptables -t nat -A POSTROUTING -s 10.20.30.0/24 -j MASQUERADE
iptables -A INPUT 1 -i tun0 -p tcp --dport 80 -j logaccept
iptables -A FORWARD -i ath1.1 -o br0 -d 192.168.1.30 -m state --state NEW -j logaccept
iptables -A INPUT 1 -i tun0 -p tcp --dport 22 -j logaccept
iptables -L gives the following result:
Code: Chain INPUT (policy ACCEPT)
target prot opt source destination
logaccept 0 -- anywhere anywhere state RELATED,ESTABLISHED
logaccept tcp -- anywhere anywhere tcp dpt:21429
logaccept 0 -- anywhere anywhere
logdrop udp -- anywhere anywhere udp dpt:route
logdrop udp -- anywhere anywhere udp dpt:route
logaccept udp -- anywhere anywhere udp dpt:route
logaccept 0 -- anywhere anywhere
logdrop icmp -- anywhere anywhere
logdrop igmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state NEW
logaccept 0 -- anywhere anywhere state NEW
logaccept udp -- anywhere anywhere udp dpt:bootps
logaccept udp -- anywhere anywhere udp dpt:domain
logaccept tcp -- anywhere anywhere tcp dpt:domain
logdrop 0 -- anywhere anywhere state NEW
logaccept 0 -- anywhere anywhere
logdrop 0 -- anywhere anywhere
logaccept tcp -- anywhere anywhere tcp dpt:21429
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP 0 -- virtgep 192.168.1.0/24 state NEW,RELATED,ESTABLISHED
logaccept 0 -- anywhere anywhere state RELATED,ESTABLISHED
logdrop 0 -- anywhere 192.168.1.0/24 state NEW
logaccept gre -- 192.168.1.0/24 anywhere
logaccept tcp -- 192.168.1.0/24 anywhere tcp dpt:1723
logaccept 0 -- anywhere anywhere
logaccept 0 -- anywhere anywhere
logaccept 0 -- anywhere anywhere
lan2wan 0 -- anywhere anywhere
logaccept 0 -- anywhere anywhere
logaccept 0 -- anywhere anywhere
logaccept tcp -- anywhere nas tcp dpt:45896
logaccept tcp -- anywhere nas tcp dpt:25000
logaccept tcp -- anywhere nas tcp dpt:www
logaccept tcp -- anywhere nas tcp dpt:6690
logaccept tcp -- anywhere nas tcp dpt:9000
TRIGGER 0 -- anywhere anywhere TRIGGER type:in match:0 relate:0
trigger_out 0 -- anywhere anywhere
logdrop 0 -- anywhere anywhere state NEW
logaccept 0 -- anywhere anywhere state NEW
logdrop 0 -- anywhere anywhere
logaccept 0 -- 10.20.30.0/24 anywhere
logaccept 0 -- anywhere anywhere
logaccept 0 -- anywhere anywhere
logaccept 0 -- anywhere nas state NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
logaccept 0 -- anywhere anywhere
Chain advgrp_1 (0 references)
target prot opt source destination
Chain advgrp_10 (0 references)
target prot opt source destination
Chain advgrp_2 (0 references)
target prot opt source destination
Chain advgrp_3 (0 references)
target prot opt source destination
Chain advgrp_4 (0 references)
target prot opt source destination
Chain advgrp_5 (0 references)
target prot opt source destination
Chain advgrp_6 (0 references)
target prot opt source destination
Chain advgrp_7 (0 references)
target prot opt source destination
Chain advgrp_8 (0 references)
target prot opt source destination
Chain advgrp_9 (0 references)
target prot opt source destination
Chain grp_1 (0 references)
target prot opt source destination
Chain grp_10 (0 references)
target prot opt source destination
Chain grp_2 (0 references)
target prot opt source destination
Chain grp_3 (0 references)
target prot opt source destination
Chain grp_4 (0 references)
target prot opt source destination
Chain grp_5 (0 references)
target prot opt source destination
Chain grp_6 (0 references)
target prot opt source destination
Chain grp_7 (0 references)
target prot opt source destination
Chain grp_8 (0 references)
target prot opt source destination
Chain grp_9 (0 references)
target prot opt source destination
Chain lan2wan (1 references)
target prot opt source destination
Chain logaccept (30 references)
target prot opt source destination
LOG 0 -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT 0 -- anywhere anywhere
Chain logdrop (9 references)
target prot opt source destination
LOG 0 -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
LOG 0 -- anywhere anywhere state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `WEBDROP '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
Chain trigger_out (1 references)
target prot opt source destination
See that the first forward chain is the block instruction for the VM
DROP 0 -- virtgep 192.168.1.0/24 state NEW,RELATED,ESTABLISHED
Despite the rules, I'm able to ping and see all the resources of the computers on the LAN.
How can I solve this issue?
Any help is appreciated
Back to top
Sponsor
roland90 DD-WRT User Joined: 22 Oct 2015 Posts: 123
Posted: Tue May 21, 2019 17:34 Post subject:
Thanks the reply.
I tried that, but it is not working
I gave manually the ip details for VM, but no internet connection and when I tried to apply the iptable rule,
the console said
Code: Warning: weird character in interface `br0:1' (No aliases, :, ! or *).
I don't know the reason.
Back to top
roland90 DD-WRT User Joined: 22 Oct 2015 Posts: 123
Posted: Tue May 21, 2019 18:02 Post subject:
eibgrad wrote: Hmm, should have worked, it works fine on my tomato router, but after testing on a dd-wrt router, I got the same error. Not sure why the difference.
Try the following instead:
Code: iptables -I FORWARD -s 192.168.2.0/24 -o br0 -m state --state NEW -j REJECT
(assuming you used that as your second network)
Yeah that looks better now. Thanks.
But I don't know why the internet is not available on the VM. I did exactly the same as you wrote.
Back to top
roland90 DD-WRT User Joined: 22 Oct 2015 Posts: 123
Posted: Tue May 21, 2019 21:23 Post subject:
eibgrad wrote: See prior post (you posted just after I updated).
I also made a syntax error, leaving out the keyword POSTROUTING, which I just corrected.
I'm all thumbs today.
Thank you so much the fast and informative help
I love the magic of networking
I did some tests and all communications according to the firewall log are DROPped despite, apparently from the VM I can ping the host machine and when I try to access the resources by \\hostname\c format, it will ask credentials then says connection error but if I try \\ipAddress\c it immediately says connection refuse.
Back to top
roland90 DD-WRT User Joined: 22 Oct 2015 Posts: 123
Posted: Tue May 21, 2019 22:04 Post subject:
eibgrad wrote: roland90 wrote: eibgrad wrote: See prior post (you posted just after I updated).
I also made a syntax error, leaving out the keyword POSTROUTING, which I just corrected.
I'm all thumbs today.
Thank you so much the fast and informative help
I love the magic of networking
I did some tests and all communications according to the firewall log are DROPped despite, apparently from the VM I can ping the host machine and when I try to access the resources by \\hostname\c format, it will ask credentials then says connection error but if I try \\ipAddress\c it immediately says connection refuse.
Uhhh, so it's working as you like?
Yes! Thank you for the co-operation and the help!
That's cooool.
Back to top