firewall config to allow traffic from/to a VirtualBox bridge

marozsas · 01-18-2008, 06:50 AM

Hi !

I am trying Innotek VirtualBox and I setup the network in bridge mode, following their tips.

The network for the guest system works only if I disable the host iptables (service iptables stop).

So, the question is How to setup FC8 iptables to allow traffic to/from this bridge ?

I am using the default firewall configuration provided by system-config-firewall. The FC8 host machine is not a server, so there is no services and open ports in this machine.

I try to mark br0 and eth0 as "Trusted interfaces", no luck.
I searched for a solution and no luck either.
I have no proficiency with iptables, and don't know how to create a rule to allow all traffic from/to this brigde.

I hope a network master over there can help me !

Code:

[root@babylon5 ~]# ifconfig -a
br0       Link encap:Ethernet  HWaddr 00:15:C5:33:28:33  
          inet addr:192.168.160.137  Bcast:192.168.160.255  Mask:255.255.255.0
          inet6 addr: fe80::215:c5ff:fe33:2833/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50717 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17373 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8946304 (8.5 MiB)  TX bytes:2690735 (2.5 MiB)

eth0      Link encap:Ethernet  HWaddr 00:15:C5:33:28:33  
          inet6 addr: fe80::215:c5ff:fe33:2833/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3860 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1890 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:827282 (807.8 KiB)  TX bytes:291602 (284.7 KiB)
          Interrupt:16 

vbox0     Link encap:Ethernet  HWaddr 00:FF:58:53:0B:9F  
          inet6 addr: fe80::2ff:58ff:fe53:b9f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:683 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12852 errors:0 dropped:19612 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:76306 (74.5 KiB)  TX bytes:846684 (826.8 KiB)

Micro420 · 01-19-2008, 05:54 PM

Not sure how you do it on the command line, but just run system-config-securitylevel-tui and make br0 a trusted device. Problem solved.

marozsas · 01-21-2008, 04:35 AM

I already did that, and this didn't worked !

Quote:

Originally Posted by marozsas

I try to mark br0 and eth0 as "Trusted interfaces", no luck.

And after doing that iptables-save returns

Code:

# iptables-save  | grep br0
-A RH-Firewall-1-INPUT -i br0 -j ACCEPT
#

But the virtual machine still not get through the host firewall....

If I stop the firewall with "service iptables stop" the virtual machine get immediate access.

dr_agon · 07-26-2008, 05:46 PM

I had exactly the same problem. The network was working, but the guest could not get access to other machines (neither on LAN nor on internet). It was indeed caused by firewall.
I use Mepis v. 7.0, and Virtualbox-OSE v. 1.6.2 with host networking.
I have guarddog installed as firewall managing GUI, but real filtering is done by iptables. I just followed guarddog help for setting up rules for router (Virtualbox host becomes a router for guests) to allow traffic between computers in my LAN (192.168.1.0/24). It generated following set of rules:

Code:

root@jl-desktop-mepis:/home/jlm# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
ACCEPT     0    --  jl-desktop-mepis.local  192.168.1.255
logaborted  tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
nicfilt    0    --  anywhere             anywhere
srcfilt    0    --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
srcfilt    0    --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootpc dpt:bootps
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
s1         0    --  anywhere             anywhere

Chain f0to1 (3 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:mdns
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:ipp state NEW
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain f0to2 (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
ACCEPT     udp  --  anywhere             anywhere            udp spt:netbios-ns dpt:netbios-ns
(lots of other rules for different ports)
.
.
.
ACCEPT     icmp --  anywhere             anywhere            icmp redirect
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
logdrop    0    --  anywhere             anywhere

Chain f1to0 (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpts:33434:33600
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain f1to2 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain f2to0 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain f2to1 (3 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:5999
ACCEPT     udp  --  anywhere             anywhere            udp spt:netbios-ns dpt:netbios-ns
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain logaborted (1 references)
target     prot opt source               destination
logaborted2  0    --  anywhere             anywhere            limit: avg 1/sec burst 10
LOG        0    --  anywhere             anywhere            limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '

Chain logaborted2 (1 references)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain logdrop (8 references)
target     prot opt source               destination
logdrop2   0    --  anywhere             anywhere

Chain logdrop2 (1 references)
target     prot opt source               destination
DROP       0    --  anywhere             anywhere

Chain logreject (0 references)
target     prot opt source               destination
logreject2  0    --  anywhere             anywhere

Chain logreject2 (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere

Chain nicfilt (1 references)
target     prot opt source               destination
RETURN     0    --  anywhere             anywhere
RETURN     0    --  anywhere             anywhere
RETURN     0    --  anywhere             anywhere
logdrop    0    --  anywhere             anywhere

Chain s0 (1 references)
target     prot opt source               destination
f0to1      0    --  anywhere             jl-desktop-mepis.local
f0to1      0    --  anywhere             192.168.1.255
f0to1      0    --  anywhere             localhost
f0to2      0    --  anywhere             192.168.1.0/24
logdrop    0    --  anywhere             anywhere

Chain s1 (1 references)
target     prot opt source               destination
f1to2      0    --  anywhere             192.168.1.0/24
f1to0      0    --  anywhere             anywhere

Chain s2 (1 references)
target     prot opt source               destination
f2to1      0    --  anywhere             jl-desktop-mepis.local
f2to1      0    --  anywhere             192.168.1.255
f2to1      0    --  anywhere             localhost
f2to0      0    --  anywhere             anywhere

Chain srcfilt (2 references)
target     prot opt source               destination
s2         0    --  192.168.1.0/24       anywhere
s0         0    --  anywhere             anywhere

This is quite long list, but check especially srcfilt chain.

If someone uses Virtualbox NAT networking, there is good guide at http://www.virtualbox.org/wiki/Advan...tworking_Linux