LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   firewall config to allow traffic from/to a VirtualBox bridge (http://www.linuxquestions.org/questions/linux-networking-3/firewall-config-to-allow-traffic-from-to-a-virtualbox-bridge-614505/)

marozsas 01-18-2008 06:50 AM

firewall config to allow traffic from/to a VirtualBox bridge
 
Hi !

I am trying Innotek VirtualBox and I setup the network in bridge mode, following their tips.

The network for the guest system works only if I disable the host iptables (service iptables stop).

So, the question is How to setup FC8 iptables to allow traffic to/from this bridge ?

I am using the default firewall configuration provided by system-config-firewall. The FC8 host machine is not a server, so there is no services and open ports in this machine.

I try to mark br0 and eth0 as "Trusted interfaces", no luck.
I searched for a solution and no luck either.
I have no proficiency with iptables, and don't know how to create a rule to allow all traffic from/to this brigde.

I hope a network master over there can help me !

Code:

[root@babylon5 ~]# ifconfig -a
br0      Link encap:Ethernet  HWaddr 00:15:C5:33:28:33 
          inet addr:192.168.160.137  Bcast:192.168.160.255  Mask:255.255.255.0
          inet6 addr: fe80::215:c5ff:fe33:2833/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50717 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17373 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8946304 (8.5 MiB)  TX bytes:2690735 (2.5 MiB)

eth0      Link encap:Ethernet  HWaddr 00:15:C5:33:28:33 
          inet6 addr: fe80::215:c5ff:fe33:2833/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3860 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1890 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:827282 (807.8 KiB)  TX bytes:291602 (284.7 KiB)
          Interrupt:16

vbox0    Link encap:Ethernet  HWaddr 00:FF:58:53:0B:9F 
          inet6 addr: fe80::2ff:58ff:fe53:b9f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:683 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12852 errors:0 dropped:19612 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:76306 (74.5 KiB)  TX bytes:846684 (826.8 KiB)


Micro420 01-19-2008 05:54 PM

Not sure how you do it on the command line, but just run system-config-securitylevel-tui and make br0 a trusted device. Problem solved.

marozsas 01-21-2008 04:35 AM

I already did that, and this didn't worked !
Quote:

Originally Posted by marozsas (Post 3027022)
I try to mark br0 and eth0 as "Trusted interfaces", no luck.

And after doing that iptables-save returns
Code:

# iptables-save  | grep br0
-A RH-Firewall-1-INPUT -i br0 -j ACCEPT
#

But the virtual machine still not get through the host firewall....

If I stop the firewall with "service iptables stop" the virtual machine get immediate access.

dr_agon 07-26-2008 05:46 PM

I had exactly the same problem. The network was working, but the guest could not get access to other machines (neither on LAN nor on internet). It was indeed caused by firewall.
I use Mepis v. 7.0, and Virtualbox-OSE v. 1.6.2 with host networking.
I have guarddog installed as firewall managing GUI, but real filtering is done by iptables. I just followed guarddog help for setting up rules for router (Virtualbox host becomes a router for guests) to allow traffic between computers in my LAN (192.168.1.0/24). It generated following set of rules:

Code:

root@jl-desktop-mepis:/home/jlm# iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination
ACCEPT    0    --  anywhere            anywhere
ACCEPT    udp  --  anywhere            anywhere            udp spt:bootps dpt:bootpc
ACCEPT    0    --  jl-desktop-mepis.local  192.168.1.255
logaborted  tcp  --  anywhere            anywhere            state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT    0    --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp parameter-problem
nicfilt    0    --  anywhere            anywhere
srcfilt    0    --  anywhere            anywhere

Chain FORWARD (policy DROP)
target    prot opt source              destination
ACCEPT    0    --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp parameter-problem
srcfilt    0    --  anywhere            anywhere

Chain OUTPUT (policy DROP)
target    prot opt source              destination
ACCEPT    0    --  anywhere            anywhere
ACCEPT    udp  --  anywhere            anywhere            udp spt:bootpc dpt:bootps
ACCEPT    0    --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp parameter-problem
s1        0    --  anywhere            anywhere

Chain f0to1 (3 references)
target    prot opt source              destination
ACCEPT    udp  --  anywhere            anywhere            udp dpt:mdns
ACCEPT    icmp --  anywhere            anywhere            icmp source-quench
ACCEPT    tcp  --  anywhere            anywhere            tcp spts:1024:65535 dpt:ipp state NEW
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere            anywhere

Chain f0to2 (1 references)
target    prot opt source              destination
ACCEPT    udp  --  anywhere            anywhere            udp spt:netbios-ns dpts:1024:65535
ACCEPT    udp  --  anywhere            anywhere            udp spt:netbios-ns dpt:netbios-ns
(lots of other rules for different ports)
.
.
.
ACCEPT    icmp --  anywhere            anywhere            icmp redirect
ACCEPT    icmp --  anywhere            anywhere            icmp echo-reply
logdrop    0    --  anywhere            anywhere

Chain f1to0 (1 references)
target    prot opt source              destination
ACCEPT    udp  --  anywhere            anywhere            udp dpts:33434:33600
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:domain state NEW
ACCEPT    udp  --  anywhere            anywhere            udp dpt:domain
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere            anywhere

Chain f1to2 (1 references)
target    prot opt source              destination
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:domain state NEW
ACCEPT    udp  --  anywhere            anywhere            udp dpt:domain
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere            anywhere

Chain f2to0 (1 references)
target    prot opt source              destination
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:domain state NEW
ACCEPT    udp  --  anywhere            anywhere            udp dpt:domain
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere            anywhere

Chain f2to1 (3 references)
target    prot opt source              destination
ACCEPT    udp  --  anywhere            anywhere            udp spt:netbios-ns dpts:1024:5999
ACCEPT    udp  --  anywhere            anywhere            udp spt:netbios-ns dpt:netbios-ns
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere            anywhere

Chain logaborted (1 references)
target    prot opt source              destination
logaborted2  0    --  anywhere            anywhere            limit: avg 1/sec burst 10
LOG        0    --  anywhere            anywhere            limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '

Chain logaborted2 (1 references)
target    prot opt source              destination
LOG        0    --  anywhere            anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT    0    --  anywhere            anywhere            state RELATED,ESTABLISHED

Chain logdrop (8 references)
target    prot opt source              destination
logdrop2  0    --  anywhere            anywhere

Chain logdrop2 (1 references)
target    prot opt source              destination
DROP      0    --  anywhere            anywhere

Chain logreject (0 references)
target    prot opt source              destination
logreject2  0    --  anywhere            anywhere

Chain logreject2 (1 references)
target    prot opt source              destination
REJECT    tcp  --  anywhere            anywhere            reject-with tcp-reset
REJECT    udp  --  anywhere            anywhere            reject-with icmp-port-unreachable
DROP      0    --  anywhere            anywhere

Chain nicfilt (1 references)
target    prot opt source              destination
RETURN    0    --  anywhere            anywhere
RETURN    0    --  anywhere            anywhere
RETURN    0    --  anywhere            anywhere
logdrop    0    --  anywhere            anywhere

Chain s0 (1 references)
target    prot opt source              destination
f0to1      0    --  anywhere            jl-desktop-mepis.local
f0to1      0    --  anywhere            192.168.1.255
f0to1      0    --  anywhere            localhost
f0to2      0    --  anywhere            192.168.1.0/24
logdrop    0    --  anywhere            anywhere

Chain s1 (1 references)
target    prot opt source              destination
f1to2      0    --  anywhere            192.168.1.0/24
f1to0      0    --  anywhere            anywhere

Chain s2 (1 references)
target    prot opt source              destination
f2to1      0    --  anywhere            jl-desktop-mepis.local
f2to1      0    --  anywhere            192.168.1.255
f2to1      0    --  anywhere            localhost
f2to0      0    --  anywhere            anywhere

Chain srcfilt (2 references)
target    prot opt source              destination
s2        0    --  192.168.1.0/24      anywhere
s0        0    --  anywhere            anywhere

This is quite long list, but check especially srcfilt chain.

If someone uses Virtualbox NAT networking, there is good guide at http://www.virtualbox.org/wiki/Advan...tworking_Linux


All times are GMT -5. The time now is 04:52 AM.