[ale] VMWare and Firewall

Calvin Harrigan charriglists at bellsouth.net
Mon Jun 4 14:17:29 EDT 2007 

Robert L. Harris wrote:
> 
>   I have a system running some test software.  We are trying to firewall it
> so that it can't connect to any of our internal hosts.  iptables -L -n -v
> gives this:
> 
> {0}:/etc/network>iptables -L -n -v
> Chain INPUT (policy ACCEPT 39 packets, 4165 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
> 
> Chain OUTPUT (policy ACCEPT 40 packets, 5633 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>     0     0 REJECT     tcp  --  *      *       172.22.13.0/24       172.22.13.255       reject-with icmp-port-unreachable 
>     0     0 REJECT     udp  --  *      *       172.22.13.0/24       172.22.13.255       reject-with icmp-port-unreachable 
>     0     0 REJECT     tcp  --  *      *       172.22.13.0/24       172.20.0.0/14       reject-with icmp-port-unreachable 
>     0     0 REJECT     udp  --  *      *       172.22.13.0/24       172.20.0.0/14       reject-with icmp-port-unreachable 
> 
> the iptables rules are this:
> 
> {0}:/etc/network>cat iptables 
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -i lo -j ACCEPT
> -A OUTPUT -p tcp -s 172.22.13.0/24 -d 172.22.13.255 -j REJECT
> -A OUTPUT -p udp -s 172.22.13.0/24 -d 172.22.13.255 -j REJECT
> -A OUTPUT -p tcp -s 172.22.13.0/24 -d 172.20.0.0/14 -j REJECT
> -A OUTPUT -p udp -s 172.22.13.0/24 -d 172.20.0.0/14 -j REJECT
> COMMIT
> 
> 
> but if I go one host away I can see netbios traffic still going to my 
> to the 172.22.13.255 address.  The 172.22.13.0/24 is reserved for VM's
> running on the host itself and I want to block all traffic to 172.20/16
> as the final goal.
> 
> Thoughts?
>   Robert
> 
> 
> 
> 
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris                     | GPG Key ID: E344DA3B
>                                          @ x-hkp://pgp.mit.edu
> DISCLAIMER:
>       These are MY OPINIONS             With Dreams To Be A King,
>        ALONE.  I speak for              First One Should Be A Man
>        no-one else.                       - Manowar
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


How is the NIC in the VM session?  If it's bridged, I think it bypasses 
iptables, etc.  You didn't mention where you had iptables setup, I'm 
assuming it's on the host OS.

More information about the Ale mailing list