Leaking local IP addresses to the external interface through NAT on Linux KVM
Linux - Virtualization and CloudThis forum is for the discussion of all topics relating to Linux Virtualization and Linux Cloud platforms. Xen, KVM, OpenVZ, VirtualBox, VMware, Linux-VServer and all other Linux Virtualization platforms are welcome. OpenStack, CloudStack, ownCloud, Cloud Foundry, Eucalyptus, Nimbus, OpenNebula and all other Linux Cloud platforms are welcome. Note that questions relating solely to non-Linux OS's should be asked in the General forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
all is working great but today I was banned by Hetzner
with such message
Dear Sir or Madam
We have noticed that you have been using other IPs from the same subnet in addition to the main IP mentioned in the above subject line.
As this is not permitted, we regret to inform you that your server has been deactivated.
Guidelines regarding further course of action may be found in our wiki: http://wiki.hetzner.de/index.php/Lei...versperrung/en.
Your Hetzner Support Team
and a log with my local ip addresses which I have checked are really visible from my eth0 on my hardware node with tcpdump
but POSTROUTING does not accept DROP
I got response:
# iptables -t nat -I POSTROUTING -o eth0 -s 10.0.0.0/8 -j DROP
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
Try `iptables -h' or 'iptables --help' for more information.
You could try to drop it in the forward chain then (before it hits the postrouting chain. There is some traffic you need for the kvm so select that which you don't want to send out through ISP interface to drop.
I just checked my iptables rule and I only accepted my virtual kvm network (192.168.122.0/24) along with some other legal local networks and dropped all others in the FORWARD chain. Then what was left I just -j SNAT to my ISP assigned source address in the POSTROUTING rules.
$IPTABLES -A FORWARD -s 192.168.122.0/24 -j ACCEPT -m comment --comment " From our enabled virtual net"
$IPTABLES -A FORWARD -m limit -j LOG --log-prefix "Unknown FORWARD pkt. "
$IPTABLES -A FORWARD -j DROP -m comment --comment "nothing else will be forwarded."
Danik; My setup is odd but does include a virtual kvm windows XP fully active using nat through my main computer. Although my office is 99% IPv6 using samba shares, our outside contacts are 97% IPv4 so nat was the natural thing to do. It is all described on a website, http://xen.maplepark.com/~drf/consults/ that requires special access for the nitty gritty stuff. If you want to see it and the iptables setup, send me an email to my personal account, drf @ maplepark.com and I'll send you access codes.