Leaking local IP addresses to the external interface through NAT on Linux KVM
Linux - Virtualization and CloudThis forum is for the discussion of all topics relating to Linux Virtualization and Linux Cloud platforms. Xen, KVM, OpenVZ, VirtualBox, VMware, Linux-VServer and all other Linux Virtualization platforms are welcome. OpenStack, CloudStack, ownCloud, Cloud Foundry, Eucalyptus, Nimbus, OpenNebula and all other Linux Cloud platforms are welcome. Note that questions relating solely to non-Linux OS's should be asked in the General forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
all is working great but today I was banned by Hetzner
with such message
Dear Sir or Madam
We have noticed that you have been using other IPs from the same subnet in addition to the main IP mentioned in the above subject line.
As this is not permitted, we regret to inform you that your server has been deactivated.
Guidelines regarding further course of action may be found in our wiki: http://wiki.hetzner.de/index.php/Lei...versperrung/en.
Your Hetzner Support Team
and a log with my local ip addresses which I have checked are really visible from my eth0 on my hardware node with tcpdump
but POSTROUTING does not accept DROP
I got response:
# iptables -t nat -I POSTROUTING -o eth0 -s 10.0.0.0/8 -j DROP
The "nat" table is not intended for filtering, the use of DROP is therefore inhibited.
Try `iptables -h' or 'iptables --help' for more information.
You could try to drop it in the forward chain then (before it hits the postrouting chain. There is some traffic you need for the kvm so select that which you don't want to send out through ISP interface to drop.
I just checked my iptables rule and I only accepted my virtual kvm network (192.168.122.0/24) along with some other legal local networks and dropped all others in the FORWARD chain. Then what was left I just -j SNAT to my ISP assigned source address in the POSTROUTING rules.
$IPTABLES -A FORWARD -s 192.168.122.0/24 -j ACCEPT -m comment --comment " From our enabled virtual net"
$IPTABLES -A FORWARD -m limit -j LOG --log-prefix "Unknown FORWARD pkt. "
$IPTABLES -A FORWARD -j DROP -m comment --comment "nothing else will be forwarded."
Danik; My setup is odd but does include a virtual kvm windows XP fully active using nat through my main computer. Although my office is 99% IPv6 using samba shares, our outside contacts are 97% IPv4 so nat was the natural thing to do. It is all described on a website, http://xen.maplepark.com/~drf/consults/ that requires special access for the nitty gritty stuff. If you want to see it and the iptables setup, send me an email to my personal account, drf @ maplepark.com and I'll send you access codes.