Hi,

I am confused as to block what from where when dealing with a virtual server. I hope someone can shine some light on this subject

Ehm..
My setup. I have a LAN connected to the Big Bad World through a machine that acts as gateway/router/firewall. On this same machine I am running several services facing WAN. Not happy with the security risk involved, I decided to take a different approach. First off, my webserver.


I've build a dedicated webserver (Slack 12.2) running as Virtual Machine, henceforth to be known as 'guest', on my router/gateway/server, known locally as 'host'.

On the host:
eth0 faces LAN
eth2 faces WAN

eth0 is bridged (but not through tun) to the guest. This works flawlessly. I've poked some holes in the firewall, so from the outside requests for port 80 and for the secret ssh-port get forwarded to the guest. The guest is able to accept http and ssh, both from LAN as from WAN.

But now comes it. In case the guest gets compromised or in case I can't let go of this question because I have my mind set to it (whichever comes first), I want to refuse the guest all outbound connections. He whoever enters the guest, enters the guest alone. I don't want the guest to be able to see the rest of my LAN. I always liked the word 'quarantine', and that's what I want

Because the guest is just a small VM, it stores no content. It gets its content from the host through NFS(ro,root_squash,the_works). I poked enough holes in the firewall to allow for this and it works.

The guest can mount NFS, but it cannot ping the host, it cannot nmap the host (although nmap -PN does reveal the open ports used by NFS), so what is my question?

Well, the guest can see all other machines within range. And that is strange to me. All rules seem only to apply to the guest <-> host communication. Not the guest <-> LAN-client communications.


I could introduce the wonderful world of subnetting to this LAN to cope with this, but that is not solving the problem of iptables not functioning the way I expect.


It seems as though iptables on the host is not filtering the outbound traffic from the guest, except for when the host is the target. This may have to do with *well anything really* but right now I'm thinking it's because the guest and the LAN interface of the host are if fact the same physical device? Not sure if it works like that. I really have no idea how the kernel routes this traffic internally.

How or where should I block this?

Are the host and the guest on the same subnet? I know in VMware, there are multiple options for setting up networking - bridged (in which case they would be on the same subnet), NAT'd, etc. I am - assuming - that you are using Vmware, OpenBox, etc to virtualize the guest... Hopefully this is correct...

It may be easiest to define an iptables rule for the broadcast range of the host and guest respectively (assuming that broadcast range is different), block all outgoing connections on the broadcast range of the guest. This would require that the host and guest are on different subnets...

VMware usually creates networking devices for the guests, vmnet0 for instance. I'm not sure how iptables would handle that though, although *it should* treat it as a normal interface...

hope that helps

Oh fsck, I made a post so long I could have it published in volumes (leather bound copies available for an additional fee).

It included outputs of all sorts of tests all pointing to unexpected behavior. But it turns out, in my last test, all outgoing connections of the guest get registered by iptables (as witnessed by careful scrutiny of the logs) as having the IP address of the host.

I failed to see this before, or didn't look into this because, on the receiving side of the contacted LAN-client I see the IP address of the guest. So I assumed... and that was my first mistake

Think of it this way:
if the host has an IP of x.x.x.1
and the guest has x.x.x.2
and a LAN-client has x.x.x.3

Now I ssh from guest to LAN-client, the LAN-client registers an incoming connection from x.x.x.2
But on the host, it registers as an outgoing connection from x.x.x.1

Now this has me wondering if I could solve this with subnetting (which was my plan B).

Thanks for your reply. I seem to have edited my OP too much for sake of brevity. I use VirtualBox, in bridged mode. That's why I didn't expect to have this problem. This is the sort of thing I expect from NAT-mode.


Yeah, you'd think that.


Hmmmm, I can of course build a TUN*)-bridge and tie the guest to that. I don't know if that would solve anything. Maybe I try that first.

In any case, I try to quarantine my guest and I do not want to rely on iptables running on the guest to solve any of these problems. The guest should not be able to do anything even if someone gets root on it.

*) TUN/TAP whatchacallid?

I'm guessing that a TUN would not be necessary, this should be easily accomplished through iptables. Unfortunately, I do not know the iptables commands that well. I rely on Shorewall... because, well, I'm lazy and totally ok with that.

Although, I know that you define specific hosts via IPs in Shorewall... and Shorewall is a config utility for iptables - hence, I know it's possible...

So, might I suggest... give webmin a try - you can configure shorewall through that and well any part of your server actually. If you've never used it before, you will love it for remote administration. (and yes, you can totally lock it down too)