How can I block my VM to access my internal network

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 123
PostPosted: Mon May 20, 2019 23:00    Post subject: How can I block my VM to access my internal network Reply with quote
I am using a VMware VM with bridged interface, with static IP address.

(VM IP address: 192.168.1.14/24
vm name: virtgep
internal network: 192.168.1.0/24)

I would like to block access to my network from the VM.
Later, allow only the port 80,443 for internet access.

Using the following rules:
Code:
iptables -I FORWARD -s 192.168.1.14 -d 192.168.1.0/24 -m state --state NEW,ESTABLISHED,RELATED -j DROP
iptables -A INPUT -p tcp --dport 21429 -j logaccept
iptables -A FORWARD --source 10.20.30.0/24 -j logaccept
iptables -A FORWARD -i br0 -o tun0 -j logaccept
iptables -A FORWARD -i tun0 -o br0 -j logaccept
iptables -t nat -A POSTROUTING -s 10.20.30.0/24 -j MASQUERADE
iptables -A INPUT 1 -i tun0 -p tcp --dport 80 -j logaccept
iptables -A FORWARD -i ath1.1 -o br0 -d 192.168.1.30 -m state --state NEW -j logaccept
iptables -A INPUT 1 -i tun0 -p tcp --dport 22 -j logaccept


iptables -L gives the following result:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
logaccept  0    --  anywhere             anywhere            state RELATED,ESTABLISHED
logaccept  tcp  --  anywhere             anywhere            tcp dpt:21429
logaccept  0    --  anywhere             anywhere           
logdrop    udp  --  anywhere             anywhere            udp dpt:route
logdrop    udp  --  anywhere             anywhere            udp dpt:route
logaccept  udp  --  anywhere             anywhere            udp dpt:route
logaccept  0    --  anywhere             anywhere           
logdrop    icmp --  anywhere             anywhere           
logdrop    igmp --  anywhere             anywhere           
ACCEPT     0    --  anywhere             anywhere            state NEW
logaccept  0    --  anywhere             anywhere            state NEW
logaccept  udp  --  anywhere             anywhere            udp dpt:bootps
logaccept  udp  --  anywhere             anywhere            udp dpt:domain
logaccept  tcp  --  anywhere             anywhere            tcp dpt:domain
logdrop    0    --  anywhere             anywhere            state NEW
logaccept  0    --  anywhere             anywhere           
logdrop    0    --  anywhere             anywhere           
logaccept  tcp  --  anywhere             anywhere            tcp dpt:21429
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       0    --  virtgep              192.168.1.0/24      state NEW,RELATED,ESTABLISHED
logaccept  0    --  anywhere             anywhere            state RELATED,ESTABLISHED
logdrop    0    --  anywhere             192.168.1.0/24      state NEW
logaccept  gre  --  192.168.1.0/24       anywhere           
logaccept  tcp  --  192.168.1.0/24       anywhere            tcp dpt:1723
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
lan2wan    0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  tcp  --  anywhere             nas                 tcp dpt:45896
logaccept  tcp  --  anywhere             nas                 tcp dpt:25000
logaccept  tcp  --  anywhere             nas                 tcp dpt:www
logaccept  tcp  --  anywhere             nas                 tcp dpt:6690
logaccept  tcp  --  anywhere             nas                 tcp dpt:9000
TRIGGER    0    --  anywhere             anywhere            TRIGGER type:in match:0 relate:0
trigger_out  0    --  anywhere             anywhere           
logdrop    0    --  anywhere             anywhere            state NEW
logaccept  0    --  anywhere             anywhere            state NEW
logdrop    0    --  anywhere             anywhere           
logaccept  0    --  10.20.30.0/24        anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             anywhere           
logaccept  0    --  anywhere             nas                 state NEW
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
logaccept  0    --  anywhere             anywhere           
Chain advgrp_1 (0 references)
target     prot opt source               destination         
Chain advgrp_10 (0 references)
target     prot opt source               destination         
Chain advgrp_2 (0 references)
target     prot opt source               destination         
Chain advgrp_3 (0 references)
target     prot opt source               destination         
Chain advgrp_4 (0 references)
target     prot opt source               destination         
Chain advgrp_5 (0 references)
target     prot opt source               destination         
Chain advgrp_6 (0 references)
target     prot opt source               destination         
Chain advgrp_7 (0 references)
target     prot opt source               destination         
Chain advgrp_8 (0 references)
target     prot opt source               destination         
Chain advgrp_9 (0 references)
target     prot opt source               destination         
Chain grp_1 (0 references)
target     prot opt source               destination         
Chain grp_10 (0 references)
target     prot opt source               destination         
Chain grp_2 (0 references)
target     prot opt source               destination         
Chain grp_3 (0 references)
target     prot opt source               destination         
Chain grp_4 (0 references)
target     prot opt source               destination         
Chain grp_5 (0 references)
target     prot opt source               destination         
Chain grp_6 (0 references)
target     prot opt source               destination         
Chain grp_7 (0 references)
target     prot opt source               destination         
Chain grp_8 (0 references)
target     prot opt source               destination         
Chain grp_9 (0 references)
target     prot opt source               destination         
Chain lan2wan (1 references)
target     prot opt source               destination         
Chain logaccept (30 references)
target     prot opt source               destination         
LOG        0    --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     0    --  anywhere             anywhere           
Chain logdrop (9 references)
target     prot opt source               destination         
LOG        0    --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
LOG        0    --  anywhere             anywhere            state INVALID LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       0    --  anywhere             anywhere           
Chain logreject (0 references)
target     prot opt source               destination         
LOG        0    --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `WEBDROP '
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
Chain trigger_out (1 references)
target     prot opt source               destination         


See that the first forward chain is the block instruction for the VM
DROP 0 -- virtgep 192.168.1.0/24 state NEW,RELATED,ESTABLISHED

Despite the rules, I'm able to ping and see all the resources of the computers on the LAN.

How can I solve this issue?
Any help is appreciated Smile
Back to top View user's profile Send private message
Sponsor
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 123
PostPosted: Tue May 21, 2019 17:34    Post subject: Reply with quote
Thanks the reply.

I tried that, but it is not working Sad
I gave manually the ip details for VM, but no internet connection and when I tried to apply the iptable rule,
the console said
Code:
Warning: weird character in interface `br0:1' (No aliases, :, ! or *).


I don't know the reason.
Back to top View user's profile Send private message
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 123
PostPosted: Tue May 21, 2019 18:02    Post subject: Reply with quote
eibgrad wrote:
Hmm, should have worked, it works fine on my tomato router, but after testing on a dd-wrt router, I got the same error. Not sure why the difference.

Try the following instead:

Code:
iptables -I FORWARD -s 192.168.2.0/24 -o br0 -m state --state NEW -j REJECT


(assuming you used that as your second network)


Yeah that looks better now. Thanks.
But I don't know why the internet is not available on the VM. I did exactly the same as you wrote. Shocked
Back to top View user's profile Send private message
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 123
PostPosted: Tue May 21, 2019 21:23    Post subject: Reply with quote
eibgrad wrote:
See prior post (you posted just after I updated).

I also made a syntax error, leaving out the keyword POSTROUTING, which I just corrected.

I'm all thumbs today.

Thank you so much the fast and informative help Smile

I love the magic of networking Very Happy
I did some tests and all communications according to the firewall log are DROPped despite, apparently from the VM I can ping the host machine and when I try to access the resources by \\hostname\c format, it will ask credentials then says connection error but if I try \\ipAddress\c it immediately says connection refuse.
Back to top View user's profile Send private message
roland90
DD-WRT User


Joined: 22 Oct 2015
Posts: 123
PostPosted: Tue May 21, 2019 22:04    Post subject: Reply with quote
eibgrad wrote:
roland90 wrote:
eibgrad wrote:
See prior post (you posted just after I updated).

I also made a syntax error, leaving out the keyword POSTROUTING, which I just corrected.

I'm all thumbs today.

Thank you so much the fast and informative help Smile

I love the magic of networking Very Happy
I did some tests and all communications according to the firewall log are DROPped despite, apparently from the VM I can ping the host machine and when I try to access the resources by \\hostname\c format, it will ask credentials then says connection error but if I try \\ipAddress\c it immediately says connection refuse.


Uhhh, so it's working as you like?


Yes! Thank you for the co-operation and the help!
That's cooool.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum