How can I block my VM to access my internal network

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 73

PostPosted: Mon May 20, 2019 23:00    Post subject: How can I block my VM to access my internal network Reply with quote
I am using a VMware VM with bridged interface, with static IP address.

(VM IP address: 192.168.1.14/24
vm name: virtgep
internal network: 192.168.1.0/24)

I would like to block access to my network from the VM.
Later, allow only the port 80,443 for internet access.

Using the following rules:
Code:
iptables -I FORWARD -s 192.168.1.14 -d 192.168.1.0/24 -m state --state NEW,ESTABLISHED,RELATED -j DROP
iptables -A INPUT -p tcp --dport 21429 -j logaccept
iptables -A FORWARD --source 10.20.30.0/24 -j logaccept
iptables -A FORWARD -i br0 -o tun0 -j logaccept
iptables -A FORWARD -i tun0 -o br0 -j logaccept
iptables -t nat -A POSTROUTING -s 10.20.30.0/24 -j MASQUERADE
iptables -A INPUT 1 -i tun0 -p tcp --dport 80 -j logaccept
iptables -A FORWARD -i ath1.1 -o br0 -d 192.168.1.30 -m state --state NEW -j logaccept
iptables -A INPUT 1 -i tun0 -p tcp --dport 22 -j logaccept


iptables -L gives the following result:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
logaccept  0    --  anywhere             anywhere            state RELATED,ESTABLISHED
logaccept  tcp  --  anywhere             anywhere            tcp dpt:21429
logaccept  0    --  anywhere             anywhere           
logdrop    udp  --  anywhere             anywhere            udp dpt:route
logdrop    udp  --  anywhere             anywhere            udp dpt:route
logaccept  udp  --  anywhere             anywhere            udp dpt:route
logaccept  0    --  anywhere             anywhere           
logdrop    icmp --  anywhere             anywhere           
logdrop    igmp --  anywhere             anywhere           
ACCEPT     0    --  anywhere             anywhere            state NEW
logaccept  0    --  anywhere             anywhere            state NEW
logaccept  udp  --  anywhere             anywhere            udp dpt:bootps
logaccept  udp  --  anywhere             anywhere            udp dpt:domain
logaccept  tcp  --  anywhere             anywhere            tcp dpt:domain
logdrop    0    --  anywhere             anywhere            state NEW
logaccept  0    --  anywhere             anywhere           
logdrop    0    --  anywhere             anywhere           
logaccept  tcp  --  anywhere             anywhere            tcp dpt:21429
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       0    --  virtgep              192.168.1.0/24      state NEW,RELATED,ESTABLISHED
logaccept  0    --  anywhere             anywhere            state RELATED,ESTABLISHED
logdrop    0    --  anywhere             192.168.1.0/24      state NEW
logaccept  gre  --  192.168.1.0/24       anywhere           
logaccept  tcp  --  192.168.1.0/24       anywhere            tcp dpt:1723
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
lan2wan    0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  tcp  --  anywhere             nas                 tcp dpt:45896
logaccept  tcp  --  anywhere             nas                 tcp dpt:25000
logaccept  tcp  --  anywhere             nas                 tcp dpt:www
logaccept  tcp  --  anywhere             nas                 tcp dpt:6690
logaccept  tcp  --  anywhere             nas                 tcp dpt:9000
TRIGGER    0    --  anywhere             anywhere            TRIGGER type:in match:0 relate:0
trigger_out  0    --  anywhere             anywhere           
logdrop    0    --  anywhere             anywhere            state NEW
logaccept  0    --  anywhere             anywhere            state NEW
logdrop    0    --  anywhere             anywhere           
logaccept  0    --  10.20.30.0/24        anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             nas                 state NEW
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
logaccept  0    --  anywhere             anywhere           
Chain advgrp_1 (0 references)
target     prot opt source               destination         
Chain advgrp_10 (0 references)
target     prot opt source               destination         
Chain advgrp_2 (0 references)
target     prot opt source               destination         
Chain advgrp_3 (0 references)
target     prot opt source               destination         
Chain advgrp_4 (0 references)
target     prot opt source               destination         
Chain advgrp_5 (0 references)
target     prot opt source               destination         
Chain advgrp_6 (0 references)
target     prot opt source               destination         
Chain advgrp_7 (0 references)
target     prot opt source               destination         
Chain advgrp_8 (0 references)
target     prot opt source               destination         
Chain advgrp_9 (0 references)
target     prot opt source               destination         
Chain grp_1 (0 references)
target     prot opt source               destination         
Chain grp_10 (0 references)
target     prot opt source               destination         
Chain grp_2 (0 references)
target     prot opt source               destination         
Chain grp_3 (0 references)
target     prot opt source               destination         
Chain grp_4 (0 references)
target     prot opt source               destination         
Chain grp_5 (0 references)
target     prot opt source               destination         
Chain grp_6 (0 references)
target     prot opt source               destination         
Chain grp_7 (0 references)
target     prot opt source               destination         
Chain grp_8 (0 references)
target     prot opt source               destination         
Chain grp_9 (0 references)
target     prot opt source               destination         
Chain lan2wan (1 references)
target     prot opt source               destination         
Chain logaccept (30 references)
target     prot opt source               destination         
LOG        0    --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     0    --  anywhere             anywhere           
Chain logdrop (9 references)
target     prot opt source               destination         
LOG        0    --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
LOG        0    --  anywhere             anywhere            state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       0    --  anywhere             anywhere           
Chain logreject (0 references)
target     prot opt source               destination         
LOG        0    --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `WEBDROP '
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
Chain trigger_out (1 references)
target     prot opt source               destination         


See that the first forward chain is the block instruction for the VM
DROP 0 -- virtgep 192.168.1.0/24 state NEW,RELATED,ESTABLISHED

Despite the rules, I'm able to ping and see all the resources of the computers on the LAN.

How can I solve this issue?
Any help is appreciated Smile
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 21, 2019 3:59    Post subject: Reply with quote
You can't use the router's *IP* firewall to manage access between bridged devices, only routed devices (i.e., something that's moving between different networks, such as the local network and the network beyond the WAN). Bridged devices communicate directly with each other over ethernet, and never become involved w/ the router's *IP* firewall.
_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 21, 2019 4:13    Post subject: Reply with quote
One trick you can do is bind the router and the VM to their own private network on the same physical LAN.

You add a second network address to the router using the following in the startup script.

Code:
ifconfig br0:1 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255


And place the VM on 192.168.2.2/24, give it a gateway IP of 192.168.2.1, and DNS of 192.168.2.1.

Now the only thing the VM sees and can communicate with is the router and the internet. Of course, if you think that somehow your VM, perhaps via malware, could change its network back to the primary network (e.g., 192.168.1.x), then this isn't the best solution. But for most cases where you just want a level of invisibility, it will suffice.

P.S. Oh, and of course, you'll want to block the VM from accessing the primary network. Now that you have two different networks, the router's IP firewall finally comes into play.

Code:
iptables -I FORWARD -i br0:1 -o br0 -m state --state NEW -j REJECT


Note, devices on the primary network will still be able to initiate connections w/ the VM, and the VM can respond. It's just that the VM itself can't initiate connections to the primary network.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 73

PostPosted: Tue May 21, 2019 17:34    Post subject: Reply with quote
Thanks the reply.

I tried that, but it is not working Sad
I gave manually the ip details for VM, but no internet connection and when I tried to apply the iptable rule,
the console said
Code:
Warning: weird character in interface `br0:1' (No aliases, :, ! or *).


I don't know the reason.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 21, 2019 17:55    Post subject: Reply with quote
Hmm, should have worked, it works fine on my tomato router, but after testing on a dd-wrt router, I got the same error. Not sure why the difference.

Try the following instead:

Code:
iptables -I FORWARD -s 192.168.2.0/24 -o br0 -m state --state NEW -j REJECT


(assuming you used that as your second network)

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 21, 2019 18:02    Post subject: Reply with quote
Oh, one other thing. You'll also need to NAT that new network over the WAN before the VM will have internet access.

Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o $WAN_IF -j MASQUERADE

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh


Last edited by eibgrad on Tue May 21, 2019 18:12; edited 1 time in total
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 73

PostPosted: Tue May 21, 2019 18:02    Post subject: Reply with quote
eibgrad wrote:
Hmm, should have worked, it works fine on my tomato router, but after testing on a dd-wrt router, I got the same error. Not sure why the difference.

Try the following instead:

Code:
iptables -I FORWARD -s 192.168.2.0/24 -o br0 -m state --state NEW -j REJECT


(assuming you used that as your second network)


Yeah that looks better now. Thanks.
But I don't know why the internet is not available on the VM. I did exactly the same as you wrote. Shocked
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 21, 2019 18:03    Post subject: Reply with quote
See prior post (you posted just after I updated).

I also made a syntax error, leaving out the keyword POSTROUTING, which I just corrected.

I'm all thumbs today.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 73

PostPosted: Tue May 21, 2019 21:23    Post subject: Reply with quote
eibgrad wrote:
See prior post (you posted just after I updated).

I also made a syntax error, leaving out the keyword POSTROUTING, which I just corrected.

I'm all thumbs today.

Thank you so much the fast and informative help Smile

I love the magic of networking Very Happy
I did some tests and all communications according to the firewall log are DROPped despite, apparently from the VM I can ping the host machine and when I try to access the resources by \\hostname\c format, it will ask credentials then says connection error but if I try \\ipAddress\c it immediately says connection refuse.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 21, 2019 21:59    Post subject: Reply with quote
roland90 wrote:
eibgrad wrote:
See prior post (you posted just after I updated).

I also made a syntax error, leaving out the keyword POSTROUTING, which I just corrected.

I'm all thumbs today.

Thank you so much the fast and informative help Smile

I love the magic of networking Very Happy
I did some tests and all communications according to the firewall log are DROPped despite, apparently from the VM I can ping the host machine and when I try to access the resources by \\hostname\c format, it will ask credentials then says connection error but if I try \\ipAddress\c it immediately says connection refuse.


Uhhh, so it's working as you like?

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 73

PostPosted: Tue May 21, 2019 22:04    Post subject: Reply with quote
eibgrad wrote:
roland90 wrote:
eibgrad wrote:
See prior post (you posted just after I updated).

I also made a syntax error, leaving out the keyword POSTROUTING, which I just corrected.

I'm all thumbs today.

Thank you so much the fast and informative help Smile

I love the magic of networking Very Happy
I did some tests and all communications according to the firewall log are DROPped despite, apparently from the VM I can ping the host machine and when I try to access the resources by \\hostname\c format, it will ask credentials then says connection error but if I try \\ipAddress\c it immediately says connection refuse.


Uhhh, so it's working as you like?


Yes! Thank you for the co-operation and the help!
That's cooool.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum