[ale] VMWare and Firewall

Robert L. Harris Robert.L.Harris at rdlg.net
Mon Jun 4 11:28:56 EDT 2007 


  I have a system running some test software.  We are trying to firewall it
so that it can't connect to any of our internal hosts.  iptables -L -n -v
gives this:

{0}:/etc/network>iptables -L -n -v
Chain INPUT (policy ACCEPT 39 packets, 4165 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 40 packets, 5633 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       172.22.13.0/24       172.22.13.255       reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       172.22.13.0/24       172.22.13.255       reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       172.22.13.0/24       172.20.0.0/14       reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       172.22.13.0/24       172.20.0.0/14       reject-with icmp-port-unreachable 

the iptables rules are this:

{0}:/etc/network>cat iptables 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p tcp -s 172.22.13.0/24 -d 172.22.13.255 -j REJECT
-A OUTPUT -p udp -s 172.22.13.0/24 -d 172.22.13.255 -j REJECT
-A OUTPUT -p tcp -s 172.22.13.0/24 -d 172.20.0.0/14 -j REJECT
-A OUTPUT -p udp -s 172.22.13.0/24 -d 172.20.0.0/14 -j REJECT
COMMIT


but if I go one host away I can see netbios traffic still going to my 
to the 172.22.13.255 address.  The 172.22.13.0/24 is reserved for VM's
running on the host itself and I want to block all traffic to 172.20/16
as the final goal.

Thoughts?
  Robert




:wq!
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for              First One Should Be A Man
       no-one else.                       - Manowar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature

More information about the Ale mailing list