LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-18-2008, 06:50 AM   #1
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Rep: Reputation: 63
firewall config to allow traffic from/to a VirtualBox bridge


Hi !

I am trying Innotek VirtualBox and I setup the network in bridge mode, following their tips.

The network for the guest system works only if I disable the host iptables (service iptables stop).

So, the question is How to setup FC8 iptables to allow traffic to/from this bridge ?

I am using the default firewall configuration provided by system-config-firewall. The FC8 host machine is not a server, so there is no services and open ports in this machine.

I try to mark br0 and eth0 as "Trusted interfaces", no luck.
I searched for a solution and no luck either.
I have no proficiency with iptables, and don't know how to create a rule to allow all traffic from/to this brigde.

I hope a network master over there can help me !

Code:
[root@babylon5 ~]# ifconfig -a
br0       Link encap:Ethernet  HWaddr 00:15:C5:33:28:33  
          inet addr:192.168.160.137  Bcast:192.168.160.255  Mask:255.255.255.0
          inet6 addr: fe80::215:c5ff:fe33:2833/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50717 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17373 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8946304 (8.5 MiB)  TX bytes:2690735 (2.5 MiB)

eth0      Link encap:Ethernet  HWaddr 00:15:C5:33:28:33  
          inet6 addr: fe80::215:c5ff:fe33:2833/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3860 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1890 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:827282 (807.8 KiB)  TX bytes:291602 (284.7 KiB)
          Interrupt:16 

vbox0     Link encap:Ethernet  HWaddr 00:FF:58:53:0B:9F  
          inet6 addr: fe80::2ff:58ff:fe53:b9f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:683 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12852 errors:0 dropped:19612 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:76306 (74.5 KiB)  TX bytes:846684 (826.8 KiB)
 
Old 01-19-2008, 05:54 PM   #2
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
Not sure how you do it on the command line, but just run system-config-securitylevel-tui and make br0 a trusted device. Problem solved.
 
Old 01-21-2008, 04:35 AM   #3
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Original Poster
Rep: Reputation: 63
I already did that, and this didn't worked !
Quote:
Originally Posted by marozsas View Post
I try to mark br0 and eth0 as "Trusted interfaces", no luck.
And after doing that iptables-save returns
Code:
# iptables-save  | grep br0
-A RH-Firewall-1-INPUT -i br0 -j ACCEPT
#
But the virtual machine still not get through the host firewall....

If I stop the firewall with "service iptables stop" the virtual machine get immediate access.
 
Old 07-26-2008, 05:46 PM   #4
dr_agon
Member
 
Registered: Sep 2007
Location: Poland
Distribution: Ubuntu 8.04
Posts: 76
Blog Entries: 12

Rep: Reputation: 24
I had exactly the same problem. The network was working, but the guest could not get access to other machines (neither on LAN nor on internet). It was indeed caused by firewall.
I use Mepis v. 7.0, and Virtualbox-OSE v. 1.6.2 with host networking.
I have guarddog installed as firewall managing GUI, but real filtering is done by iptables. I just followed guarddog help for setting up rules for router (Virtualbox host becomes a router for guests) to allow traffic between computers in my LAN (192.168.1.0/24). It generated following set of rules:

Code:
root@jl-desktop-mepis:/home/jlm# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
ACCEPT     0    --  jl-desktop-mepis.local  192.168.1.255
logaborted  tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
nicfilt    0    --  anywhere             anywhere
srcfilt    0    --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
srcfilt    0    --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootpc dpt:bootps
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
s1         0    --  anywhere             anywhere

Chain f0to1 (3 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:mdns
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:ipp state NEW
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain f0to2 (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:65535
ACCEPT     udp  --  anywhere             anywhere            udp spt:netbios-ns dpt:netbios-ns
(lots of other rules for different ports)
.
.
.
ACCEPT     icmp --  anywhere             anywhere            icmp redirect
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
logdrop    0    --  anywhere             anywhere

Chain f1to0 (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpts:33434:33600
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain f1to2 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain f2to0 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain state NEW
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain f2to1 (3 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp spt:netbios-ns dpts:1024:5999
ACCEPT     udp  --  anywhere             anywhere            udp spt:netbios-ns dpt:netbios-ns
(lots of other rules for different ports)
.
.
.
logdrop    0    --  anywhere             anywhere

Chain logaborted (1 references)
target     prot opt source               destination
logaborted2  0    --  anywhere             anywhere            limit: avg 1/sec burst 10
LOG        0    --  anywhere             anywhere            limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '

Chain logaborted2 (1 references)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain logdrop (8 references)
target     prot opt source               destination
logdrop2   0    --  anywhere             anywhere

Chain logdrop2 (1 references)
target     prot opt source               destination
DROP       0    --  anywhere             anywhere

Chain logreject (0 references)
target     prot opt source               destination
logreject2  0    --  anywhere             anywhere

Chain logreject2 (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere

Chain nicfilt (1 references)
target     prot opt source               destination
RETURN     0    --  anywhere             anywhere
RETURN     0    --  anywhere             anywhere
RETURN     0    --  anywhere             anywhere
logdrop    0    --  anywhere             anywhere

Chain s0 (1 references)
target     prot opt source               destination
f0to1      0    --  anywhere             jl-desktop-mepis.local
f0to1      0    --  anywhere             192.168.1.255
f0to1      0    --  anywhere             localhost
f0to2      0    --  anywhere             192.168.1.0/24
logdrop    0    --  anywhere             anywhere

Chain s1 (1 references)
target     prot opt source               destination
f1to2      0    --  anywhere             192.168.1.0/24
f1to0      0    --  anywhere             anywhere

Chain s2 (1 references)
target     prot opt source               destination
f2to1      0    --  anywhere             jl-desktop-mepis.local
f2to1      0    --  anywhere             192.168.1.255
f2to1      0    --  anywhere             localhost
f2to0      0    --  anywhere             anywhere

Chain srcfilt (2 references)
target     prot opt source               destination
s2         0    --  192.168.1.0/24       anywhere
s0         0    --  anywhere             anywhere
This is quite long list, but check especially srcfilt chain.

If someone uses Virtualbox NAT networking, there is good guide at http://www.virtualbox.org/wiki/Advan...tworking_Linux

Last edited by dr_agon; 07-26-2008 at 06:21 PM. Reason: to include DHCP capability
 
  


Reply

Tags
bridge, firewall, virtualbox


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rules to bridge traffic scheidel21 Linux - Networking 2 08-31-2007 12:05 PM
tun bridge to VirtualBox on debian etch crashsystems Linux - Networking 5 01-30-2007 03:11 PM
Fedora Core 5: Bridge, only allows pings to specific IP address. No other traffic big_ginge21 Linux - Networking 7 01-04-2007 07:49 PM
Firewall Bridge Lame Linux - Security 1 09-23-2004 04:50 PM
Firewall Bridge Lame Linux - Newbie 0 09-22-2004 05:13 AM


All times are GMT -5. The time now is 08:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration