View previous topic :: View next topic |
Author |
Message |
DaggyStyle Watchman
![Watchman Watchman](/images/ranks/rank-G-2-watchman.gif)
![](images/avatars/182793287489b53393316c.gif)
Joined: 22 Mar 2006 Posts: 5941
|
Posted: Sun May 02, 2021 4:16 pm Post subject: restrict traffic to local network only for a server on a lan |
|
|
Greetings,
I have a home server with 5 nics, all of them are passed into a vm which acts as a router.
the system has in addition a virtual switch which connects the system and another system vm to the router vm.
for security reasons I want to restrict the home server's to local lan.
the setup is runnall of this is using qemu + libvirt
here is the home server's kernel config:
Code: | CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=m
# Core Netfilter Configuration
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_FAMILY_BRIDGE=y
# CONFIG_NETFILTER_NETLINK_ACCT is not set
# CONFIG_NETFILTER_NETLINK_QUEUE is not set
CONFIG_NETFILTER_NETLINK_LOG=y
# CONFIG_NETFILTER_NETLINK_OSF is not set
# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
# CONFIG_NETFILTER_XT_TARGET_DSCP is not set
# CONFIG_NETFILTER_XT_TARGET_HL is not set
# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
# CONFIG_NETFILTER_XT_TARGET_LED is not set
CONFIG_NETFILTER_XT_TARGET_LOG=m
# CONFIG_NETFILTER_XT_TARGET_MARK is not set
CONFIG_NETFILTER_XT_NAT=m
# CONFIG_NETFILTER_XT_TARGET_NETMAP is not set
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set
# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
# CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
# CONFIG_NETFILTER_XT_TARGET_TEE is not set
# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
# CONFIG_NETFILTER_XT_MATCH_BPF is not set
# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set
# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set
# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set
# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
# CONFIG_NETFILTER_XT_MATCH_CONNLIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
# CONFIG_NETFILTER_XT_MATCH_CPU is not set
# CONFIG_NETFILTER_XT_MATCH_DCCP is not set
# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set
# CONFIG_NETFILTER_XT_MATCH_DSCP is not set
# CONFIG_NETFILTER_XT_MATCH_ECN is not set
# CONFIG_NETFILTER_XT_MATCH_ESP is not set
# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_HELPER is not set
# CONFIG_NETFILTER_XT_MATCH_HL is not set
# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
# CONFIG_NETFILTER_XT_MATCH_L2TP is not set
# CONFIG_NETFILTER_XT_MATCH_LENGTH is not set
# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_MAC is not set
# CONFIG_NETFILTER_XT_MATCH_MARK is not set
# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
# CONFIG_NETFILTER_XT_MATCH_OSF is not set
# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
CONFIG_NETFILTER_XT_MATCH_POLICY=y
# CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set
# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set
# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
# CONFIG_NETFILTER_XT_MATCH_REALM is not set
# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
# CONFIG_NETFILTER_XT_MATCH_SCTP is not set
# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
CONFIG_NETFILTER_XT_MATCH_STATE=y
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
# CONFIG_NETFILTER_XT_MATCH_STRING is not set
# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set
# CONFIG_NETFILTER_XT_MATCH_TIME is not set
# CONFIG_NETFILTER_XT_MATCH_U32 is not set
# end of Core Netfilter Configuration
# IP: Netfilter Configuration
# end of IP: Netfilter Configuration
# IPv6: Netfilter Configuration
# end of IPv6: Netfilter Configuration
# iptables trigger is under Netfilter config (LED target)
|
ip a:
Code: |
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
3: virtsw: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:6b:1b:92 brd ff:ff:ff:ff:ff:ff
4: virtsw-streamer: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virtsw state UNKNOWN group default qlen 1000
link/ether fe:54:00:5a:4c:8c brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe5a:4c8c/64 scope link
valid_lft forever preferred_lft forever
5: veth: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether fe:54:00:a7:79:6b brd ff:ff:ff:ff:ff:ff
inet 10.0.0.3/24 brd 10.0.0.255 scope global dynamic noprefixroute veth
valid_lft 26733sec preferred_lft 19482sec
inet6 fdab:9802:eb52:0:fc54:ff:fea7:796b/64 scope global dynamic mngtmpaddr
valid_lft forever preferred_lft forever
inet6 fe80::fc54:ff:fea7:796b/64 scope link
valid_lft forever preferred_lft forever
6: veth-test0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether fe:54:00:73:3c:37 brd ff:ff:ff:ff:ff:ff
inet6 fdab:9802:eb52:0:fc54:ff:fe73:3c37/64 scope global dynamic mngtmpaddr
valid_lft forever preferred_lft forever
inet6 fe80::fc54:ff:fe73:3c37/64 scope link
valid_lft forever preferred_lft forever
7: virtsw-router: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master virtsw state UNKNOWN group default qlen 1000
link/ether fe:54:00:53:1c:6b brd ff:ff:ff:ff:ff:ff
inet6 fe80::fc54:ff:fe53:1c6b/64 scope link
valid_lft forever preferred_lft forever
|
iptables -L -v -n:
Code: | Chain INPUT (policy ACCEPT 606K packets, 399M bytes)
pkts bytes target prot opt in out source destination
606K 399M LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 507K packets, 2129M bytes)
pkts bytes target prot opt in out source destination
507K 2129M LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * virtsw 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- virtsw * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- virtsw virtsw 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virtsw * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virtsw * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
48 17529 ACCEPT udp -- virtsw * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virtsw * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virtsw 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virtsw 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * virtsw 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virtsw 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
|
net-dumpxml default:
Code: | <network connections='2'>
<name>default</name>
<uuid>61bc1a72-bd02-408a-b88e-dec696742c20</uuid>
<bridge name='virtsw' stp='off' delay='0'/>
<mac address='52:54:00:6b:1b:92'/>
</network> |
I thought of following the client https://wiki.gentoo.org/wiki/Iptables and add the following rules to limit the traffic:
Code: |
iptables -A LIBVIRT_INP -i veth DROP
iptables -A LIBVIRT_OUT -o veth DROP
iptables -A LIBVIRT_INP -i veth -j ACCEPT -s 10.0.0.0/24
iptables -A LIBVIRT_OUT -o veth -j ACCEPT -s 10.0.0.0/24
|
will it work? _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
jamapii l33t
![l33t l33t](/images/ranks/rank_rect_4.gif)
![](images/avatars/170100631249065103292e6.jpg)
Joined: 16 Sep 2004 Posts: 637
|
Posted: Sat May 08, 2021 12:58 pm Post subject: |
|
|
Gotcha! Of course not, the (conditional) ACCEPT lines must come first, the DROP lines last.
Alternatively (maybe more secure), you can use "iptables -I" instead of "-A", then the DROP lines come first. But then you must consider your existing rules. They refer to virtsw, but you don't have an IP address there. Weird. (Use ip6tables to deal with ipv6)
Your use of "-s" vs "-d" seems random. It seems to say "what comes in, must come from a local IP address, what goes out, must come from a local IP address". This restricts only incoming traffic. It also blocks multicast. If you have any "ACCEPT ESTABLISHED,RELATED" line, the home server will communicate outside.
I would simply write "-s 10.0.0.0/24 -d 10.0.0.0/24" on both lines. Only local communications allowed. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
Hu Administrator
![Administrator Administrator](/images/ranks/rank-admin.gif)
Joined: 06 Mar 2007 Posts: 23093
|
Posted: Sat May 08, 2021 5:10 pm Post subject: |
|
|
jamapii wrote: | They refer to virtsw, but you don't have an IP address there. Weird. | That is fine. The kernel will use the address of the connection to pick an interface. It will then test the interface against the rule. Omitting the IP address is a convenient way to cover every address that is routed through the named interface, without needing to list or even know what those addresses are or will be. |
|
Back to top |
|
![](templates/gentoo/images/spacer.gif) |
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|