LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Virtualization and Cloud
User Name
Password
Linux - Virtualization and Cloud This forum is for the discussion of all topics relating to Linux Virtualization and Linux Cloud platforms. Xen, KVM, OpenVZ, VirtualBox, VMware, Linux-VServer and all other Linux Virtualization platforms are welcome. OpenStack, CloudStack, ownCloud, Cloud Foundry, Eucalyptus, Nimbus, OpenNebula and all other Linux Cloud platforms are welcome. Note that questions relating solely to non-Linux OS's should be asked in the General forum.

Notices

Reply
 
Search this Thread
Old 11-26-2013, 11:41 AM   #1
Danik
LQ Newbie
 
Registered: Jul 2005
Distribution: debian 7
Posts: 14

Rep: Reputation: 0
Question Leaking local IP addresses to the external interface through NAT on Linux KVM


wanted to ask about network setup using nat and kvm with proxmox
I am using Hetzner as service provider

and basically have such configuration:

in sysctl.conf using
Code:
net.ipv4.ip_forward=1
and my network setup is

Code:
# Loopback device:
auto lo
iface lo inet loopback


# device: eth0
auto  eth0
iface eth0 inet static
  address   xx.xx.xx.42
  broadcast xx.xx.xx.63
  netmask   255.255.255.224
  gateway   xx.xx.xx.33
  # default route to access subnet
  up route add -net xx.xx.xx.32 netmask 255.255.255.224 gw xx.xx.xx.33 eth0


auto vmbr0
iface vmbr0 inet static
    address  10.0.0.254
    netmask  255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
and I do use nat for my guest kvm machines

Code:
iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -j SNAT --to-source xx.xx.xx.42
all is working great but today I was banned by Hetzner
with such message

Quote:
Dear Sir or Madam
We have noticed that you have been using other IPs from the same subnet in addition to the main IP mentioned in the above subject line.
As this is not permitted, we regret to inform you that your server has been deactivated.
Guidelines regarding further course of action may be found in our wiki: http://wiki.hetzner.de/index.php/Lei...versperrung/en.
Yours faithfully
Your Hetzner Support Team
and a log with my local ip addresses which I have checked are really visible from my eth0 on my hardware node with tcpdump
Code:
09:42:16.976198 a1:b2:c3:d4:e5:f6 > aa:bb:cc:dd:ee:ff, ethertype IPv4 
(0x0800), length 60: 10.0.0.7.2312 > 192.198.93.78.80: Flags [F.], seq 
3579355710, ack 2348566885, win 65101, length 0
09:42:17.076330 a1:b2:c3:d4:e5:f6 > aa:bb:cc:dd:ee:ff, ethertype IPv4 
(0x0800), length 60: 10.0.0.7.2271 > 65.75.156.119.80: Flags [F.], seq 
3329167346, ack 2138564996, win 65408, length 0
09:42:17.177311 a1:b2:c3:d4:e5:f6 > aa:bb:cc:dd:ee:ff, ethertype IPv4 
(0x0800), length 60: 10.0.0.7.2096 > 149.47.143.131.80: Flags [F.], seq 
833600034, ack 1463451994, win 65205, length 0
09:42:17.378092 a1:b2:c3:d4:e5:f6 > aa:bb:cc:dd:ee:ff, ethertype IPv4 
(0x0800), length 60: 10.0.0.7.2160 > 193.234.222.240.80: Flags [F.], seq 
380954537, ack 1918089133, win 65530, length 0
09:42:17.478724 a1:b2:c3:d4:e5:f6 > aa:bb:cc:dd:ee:ff, ethertype IPv4 
(0x0800), length 60: 10.0.0.7.2522 > 199.231.188.243.80: Flags [F.], seq 
2524482819, ack 2992113059, win 64726, length 0
09:42:17.482664 a1:b2:c3:d4:e5:f6 > aa:bb:cc:dd:ee:ff, ethertype IPv4 
(0x0800), length 60: 10.0.0.7.2376 > 118.139.177.199.80: Flags [F.], seq 
3912490494, ack 3173571000, win 65464, length 0
09:42:17.512824 a1:b2:c3:d4:e5:f6 > aa:bb:cc:dd:ee:ff, ethertype IPv4 
(0x0800), length 60: 10.0.0.7.3493 > 192.126.137.25.8800: Flags [R], seq 
714854646, win 0, length 0
09:42:17.512847 a1:b2:c3:d4:e5:f6 > aa:bb:cc:dd:ee:ff, ethertype IPv4 
(0x0800), length 60: 10.0.0.7.3493 > 192.126.137.25.8800: Flags [R], seq 
714854646, win 0, length 0
is there any way how I can hide my 10.0.0.0/24 ips ?

my software version are
Code:
cat /etc/debian_version
7.2

uname -a
Linux 1.server.com 2.6.32-25-pve #1 SMP Tue Oct 1 09:17:16 CEST 2013 x86_64 GNU/Linux

pveversion -v
proxmox-ve-2.6.32: 3.1-113 (running kernel: 2.6.32-25-pve)
pve-manager: 3.1-17 (running version: 3.1-17/eb90521d)
pve-kernel-2.6.32-25-pve: 2.6.32-113
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.5-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.0-2
pve-cluster: 3.0-7
qemu-server: 3.1-5
pve-firmware: 1.0-23
libpve-common-perl: 3.0-6
libpve-access-control: 3.0-6
libpve-storage-perl: 3.0-13
pve-libspice-server1: 0.12.4-2
vncterm: 1.1-4
vzctl: 4.0-1pve3
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 1.4-17
ksm-control-daemon: 1.1-1
glusterfs-client: 3.4.0-2
 
Old 11-26-2013, 12:01 PM   #2
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 267

Rep: Reputation: 57
Try inserting an iptables drop rule for the 10/8 space to your output chain to the ISP interface; such as:
Code:
 iptables -I OUTPUT -o eth0 -d 10.0.0.0/8 -j DROP
 
Old 11-26-2013, 12:05 PM   #3
Danik
LQ Newbie
 
Registered: Jul 2005
Distribution: debian 7
Posts: 14

Original Poster
Rep: Reputation: 0
why -d 10.0.0.0/8 ?

just added rule
Code:
iptables -I OUTPUT -o eth0 -d 10.0.0.0/8 -j ACCEPT
to check if any packet passes trough it
and there is there packets on it

Code:
Chain OUTPUT (policy ACCEPT 355 packets, 27458 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            10.0.0.0/8
at the same time some packets passed trough eth0
have cached them with tcpdump

Code:
#tcpdump -i eth0 -n|grep "IP 10.0.0"

20:06:10.689724 IP 10.0.0.10.2465 > xxx.xxx.xxx.68.8800: Flags [R.], seq 2533987848, ack 2202607510, win 0, length 0
20:06:39.363818 IP 10.0.0.8.3162 > xxx.xxx.xxx.39.8800: Flags [R.], seq 3440356473, ack 4282942734, win 0, length 0
20:06:41.936374 IP 10.0.0.18.55314 > xxx.xxx.xxx.xxx.443: Flags [R.], seq 251317971, ack 1880007973, win 0, length 0
20:08:03.617463 IP 10.0.0.19.63792 > xx.xxx.xxx.136.80: Flags [R.], seq 2364731442, ack 720673028, win 0, length 0
20:08:22.463198 IP 10.0.0.19.64167 > xx.xx.xx.194.80: Flags [R.], seq 310726497, ack 3191408605, win 0, length 0
20:09:19.814823 IP 10.0.0.1.1921 > x.xxx.xxx.72.8800: Flags [F.], seq 0, ack 1, win 64940, length 0
20:09:20.120501 IP 10.0.0.1.1917 > x.xxx.xxx.72.8800: Flags [F.], seq 0, ack 1, win 65508, length 0

Last edited by Danik; 11-26-2013 at 12:09 PM.
 
Old 11-26-2013, 12:09 PM   #4
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 267

Rep: Reputation: 57
Or whatever you are leaking. Or maybe just the source they are complaining about -s XX/8

Last edited by david1941; 11-26-2013 at 12:11 PM.
 
Old 11-26-2013, 12:14 PM   #5
Danik
LQ Newbie
 
Registered: Jul 2005
Distribution: debian 7
Posts: 14

Original Poster
Rep: Reputation: 0
actually as I understand these packets never goes trough INPUT or OUTPUT the go trough FORWARD and POSTROUTING
but I do not know how to filter packet on POSTROUTING chain


it should be something like

Code:
iptables -t nat -I POSTROUTING -o eth0 -s 10.0.0.0/8 -j DROP
but POSTROUTING does not accept DROP
I got response:

Code:
# iptables -t nat -I POSTROUTING -o eth0 -s 10.0.0.0/8 -j DROP
iptables v1.4.14:
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.


Try `iptables -h' or 'iptables --help' for more information.

Last edited by Danik; 11-26-2013 at 12:16 PM.
 
Old 11-26-2013, 12:23 PM   #6
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 267

Rep: Reputation: 57
You could try to drop it in the forward chain then (before it hits the postrouting chain. There is some traffic you need for the kvm so select that which you don't want to send out through ISP interface to drop.
 
Old 11-26-2013, 12:44 PM   #7
Danik
LQ Newbie
 
Registered: Jul 2005
Distribution: debian 7
Posts: 14

Original Poster
Rep: Reputation: 0
All the traffic which goes trough nat is effective for me
The only packets I want to drop is that goes after the nat with local ip addressees (I have been banned because of them)

But there is no know way for me to do this
I also has found similar question on server fault http://serverfault.com/questions/523...ng-is-complete

On that datagrams FORWARD Filter rules are processed before POSTROUTING SNAT - so I could not just trough out 10.0.0.0/24 packets as they will not go to the SNAT rules (

But may be there is some workaround how I con solve my problem?

Last edited by Danik; 11-26-2013 at 12:48 PM.
 
Old 11-26-2013, 12:47 PM   #8
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 267

Rep: Reputation: 57
I just checked my iptables rule and I only accepted my virtual kvm network (192.168.122.0/24) along with some other legal local networks and dropped all others in the FORWARD chain. Then what was left I just -j SNAT to my ISP assigned source address in the POSTROUTING rules.

Code:
$IPTABLES -A FORWARD -s 192.168.122.0/24 -j ACCEPT -m comment --comment " From our enabled virtual net"
$IPTABLES -A FORWARD -m limit -j LOG --log-prefix "Unknown FORWARD pkt. "
$IPTABLES -A FORWARD -j DROP -m comment --comment "nothing else will be forwarded."
 
Old 11-26-2013, 01:10 PM   #9
Danik
LQ Newbie
 
Registered: Jul 2005
Distribution: debian 7
Posts: 14

Original Poster
Rep: Reputation: 0
have tried like this

Code:
#!/bin/bash

# Executable path
IPT="/sbin/iptables"

# External IP
SERVER_IP=`ifconfig eth0 | sed -n 's/.*inet addr:\([0-9.]\+\)\s.*/\1/p'`

$IPT -t nat -F
$IPT -F

$IPT -A FORWARD -s 10.0.0.0/24 -j ACCEPT -m comment --comment "From our enabled virtual net"
$IPT -A FORWARD -m limit -j LOG --log-prefix "Unknown FORWARD pkt. "
$IPT -A FORWARD -j DROP -m comment --comment "nothing else will be forwarded."

$IPT -t nat -A POSTROUTING -s '10.0.0.0/24' -j SNAT --to-source $SERVER_IP
and after that all packets from my virtual machine with ip 10.0.0.11 were dropped and vm left without internet

can you help how it should be done?
 
Old 11-26-2013, 01:54 PM   #10
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 267

Rep: Reputation: 57
Danik; My setup is odd but does include a virtual kvm windows XP fully active using nat through my main computer. Although my office is 99% IPv6 using samba shares, our outside contacts are 97% IPv4 so nat was the natural thing to do. It is all described on a website, http://xen.maplepark.com/~drf/consults/ that requires special access for the nitty gritty stuff. If you want to see it and the iptables setup, send me an email to my personal account, drf @ maplepark.com and I'll send you access codes.
 
  


Reply

Tags
iptables, kvm, linux, nat, proxmox


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] how to map local addresses to FQDN addresses with postfix sneakyimp Linux - Server 5 08-04-2011 03:18 PM
Can I use NAT and some local hosts without NAT on linux box? tkmbe Linux - Networking 1 08-12-2010 02:38 PM
Local machines showing up with external addresses?? Jim Miller Linux - Software 1 11-09-2009 01:13 AM
Squid Proxy Server Leaking Private IP Addresses jreige Linux - Software 1 08-09-2007 03:53 AM
bypass local prerouting route for external eth interface? tblack Linux - Networking 1 09-27-2004 03:47 PM


All times are GMT -5. The time now is 05:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration