At first i am sorry for my English/ It is not native for me.
I am not qualified adminstrator of linux, so i have not so many experience with iptables and routing. Deadline is "yesterday". Googling did not any progress for me. It should be very good if someone writes guide for me something like "use this command and everything should be fine"
So, i've got hardware server with 1 NIC.
OS type - debian + proxmox. 1 dedicated IP adress.
Inside:
2 Centos containers with own dedicated IP AAA and BBB
Trouble:
All connetions from outside to AAA and BBB proceed normal (ssh,http,mysql).
Result of all connections from container is "connection refused" (ssh,wget,yum,curl).
All connetions to host server goes normal.
History:
This became so after tried to install openvpn and did something in ISP-manager.
Config:
iptables
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ispmgr_deny_ip all -- anywhere anywhere
ispmgr_allow_ip all -- anywhere anywhere
ispmgr_allow_sub all -- anywhere anywhere
ispmgr_deny_sub all -- anywhere anywhere
DROP all -- anywhere anywhere match-set ispmgr_limit_req src
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:222
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-ssh (2 references)
target prot opt source destination
REJECT all -- 210.30.65.218.broad.xy.jx.dynamic.163data.com.cn anywhere reject-with icmp-port-unreachable
REJECT all -- 183.94.193.154 anywhere reject-with icmp-port-unreachable
REJECT all -- 116.31.116.21 anywhere reject-with icmp-port-unreachable
REJECT all -- 59.63.188.30 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
Chain ispmgr_allow_ip (1 references)
target prot opt source destination
Chain ispmgr_allow_sub (1 references)
target prot opt source destination
Chain ispmgr_deny_ip (1 references)
target prot opt source destination
Chain ispmgr_deny_sub (1 references)
target prot opt source destination
Chain ispmgr_limit_req (0 references)
target prot opt source destination
iptables-save
Code:
# Generated by iptables-save v1.4.21 on Fri Mar 17 13:13:16 2017
*mangle
:PREROUTING ACCEPT [26425:17749028]
:INPUT ACCEPT [3199:269429]
:FORWARD ACCEPT [22607:17455062]
:OUTPUT ACCEPT [3438:1632623]
:POSTROUTING ACCEPT [25647:19038078]
COMMIT
# Completed on Fri Mar 17 13:13:16 2017
# Generated by iptables-save v1.4.21 on Fri Mar 17 13:13:16 2017
*nat
:PREROUTING ACCEPT [1589:89647]
:INPUT ACCEPT [361:27018]
:OUTPUT ACCEPT [67:5275]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o vmbr0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Mar 17 13:13:16 2017
# Generated by iptables-save v1.4.21 on Fri Mar 17 13:13:16 2017
*filter
:INPUT ACCEPT [38:2610]
:FORWARD ACCEPT [33:3736]
:OUTPUT ACCEPT [65:13304]
:fail2ban-ssh - [0:0]
:ispmgr_allow_ip - [0:0]
:ispmgr_allow_sub - [0:0]
:ispmgr_deny_ip - [0:0]
:ispmgr_deny_sub - [0:0]
:ispmgr_limit_req - [0:0]
-A INPUT -j ispmgr_deny_ip
-A INPUT -j ispmgr_allow_ip
-A INPUT -j ispmgr_allow_sub
-A INPUT -j ispmgr_deny_sub
-A INPUT -m set --match-set ispmgr_limit_req src -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m tcp --dport 222 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -i tap200i0 -j ACCEPT
-A FORWARD -i tap100i0 -j ACCEPT
-A fail2ban-ssh -s 91.197.232.109/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 218.65.30.210/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 116.31.116.21/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Fri Mar 17 13:13:16 2017
ifconfig
Code:
eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
tap100i0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
tap200i0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
vmbr0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.XXX Mask:255.255.255.224
inet6 addr: XXXXXXXX Scope:Link
ip route list
Code:
default via XXX.XXX.XXX.XXX dev vmbr0
AAA.AAA.AAA.AAA dev vmbr0 scope link
BBB.BBB.BBB.BBB dev vmbr0 scope link
XXX.XXX.XXX.XXX/27 dev vmbr0 proto kernel scope link src XXX.XXX.XXX.XXX