Hi,
I am confused as to block what from where when dealing with a virtual server. I hope someone can shine some light on this subject
Ehm..
My setup. I have a LAN connected to the Big Bad World through a machine that acts as gateway/router/firewall. On this same machine I am running several services facing WAN. Not happy with the security risk involved, I decided to take a different approach. First off, my webserver.
I've build a dedicated webserver (Slack 12.2) running as Virtual Machine, henceforth to be known as 'guest', on my router/gateway/server, known locally as 'host'.
On the host:
eth0 faces LAN
eth2 faces WAN
eth0 is bridged (but not through tun) to the guest. This works flawlessly. I've poked some holes in the firewall, so from the outside requests for port 80 and for the secret ssh-port get forwarded to the guest. The guest is able to accept http and ssh, both from LAN as from WAN.
But now comes it. In case the guest gets compromised or in case I can't let go of this question because I have my mind set to it (whichever comes first), I want to refuse the guest all outbound connections. He whoever enters the guest, enters the guest alone. I don't want the guest to be able to see the rest of my LAN. I always liked the word 'quarantine', and that's what I want
Because the guest is just a small VM, it stores no content. It gets its content from the host through NFS(ro,root_squash,the_works). I poked enough holes in the firewall to allow for this and it works.
The guest can mount NFS, but it cannot ping the host, it cannot nmap the host (although nmap -PN does reveal the open ports used by NFS), so what is my question?
Well, the guest can see all other machines within range. And that is strange to me. All rules seem only to apply to the guest <-> host communication. Not the guest <-> LAN-client communications.
I could introduce the wonderful world of subnetting to this LAN to cope with this, but that is not solving the problem of iptables not functioning the way I expect.
It seems as though iptables on the host is not filtering the outbound traffic from the guest, except for when the host is the target. This may have to do with *well anything really* but right now I'm thinking it's because the guest and the LAN interface of the host are if fact the same physical device? Not sure if it works like that. I really have no idea how the kernel routes this traffic internally.
How or where should I block this?