[ale] VMWare and Firewall
Robert L. Harris
Robert.L.Harris at rdlg.net
Mon Jun 4 15:01:43 EDT 2007
It is bridged. I'm running the firewall on the host OS. So I would need
to apply it to "vmnet1" or "vmnet8" ? running tcpdump on these interfaces
doesn't show any traffic.
Thus spake Calvin Harrigan (charriglists at bellsouth.net):
> Robert L. Harris wrote:
> >
> > I have a system running some test software. We are trying to firewall it
> > so that it can't connect to any of our internal hosts. iptables -L -n -v
> > gives this:
> >
> > {0}:/etc/network>iptables -L -n -v
> > Chain INPUT (policy ACCEPT 39 packets, 4165 bytes)
> > pkts bytes target prot opt in out source destination
> > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
> >
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source destination
> >
> > Chain OUTPUT (policy ACCEPT 40 packets, 5633 bytes)
> > pkts bytes target prot opt in out source destination
> > 0 0 REJECT tcp -- * * 172.22.13.0/24 172.22.13.255 reject-with icmp-port-unreachable
> > 0 0 REJECT udp -- * * 172.22.13.0/24 172.22.13.255 reject-with icmp-port-unreachable
> > 0 0 REJECT tcp -- * * 172.22.13.0/24 172.20.0.0/14 reject-with icmp-port-unreachable
> > 0 0 REJECT udp -- * * 172.22.13.0/24 172.20.0.0/14 reject-with icmp-port-unreachable
> >
> > the iptables rules are this:
> >
> > {0}:/etc/network>cat iptables
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > -A INPUT -i lo -j ACCEPT
> > -A OUTPUT -p tcp -s 172.22.13.0/24 -d 172.22.13.255 -j REJECT
> > -A OUTPUT -p udp -s 172.22.13.0/24 -d 172.22.13.255 -j REJECT
> > -A OUTPUT -p tcp -s 172.22.13.0/24 -d 172.20.0.0/14 -j REJECT
> > -A OUTPUT -p udp -s 172.22.13.0/24 -d 172.20.0.0/14 -j REJECT
> > COMMIT
> >
> >
> > but if I go one host away I can see netbios traffic still going to my
> > to the 172.22.13.255 address. The 172.22.13.0/24 is reserved for VM's
> > running on the host itself and I want to block all traffic to 172.20/16
> > as the final goal.
> >
> > Thoughts?
> > Robert
> >
> >
> >
> >
> > :wq!
> > ---------------------------------------------------------------------------
> > Robert L. Harris | GPG Key ID: E344DA3B
> > @ x-hkp://pgp.mit.edu
> > DISCLAIMER:
> > These are MY OPINIONS With Dreams To Be A King,
> > ALONE. I speak for First One Should Be A Man
> > no-one else. - Manowar
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
>
> How is the NIC in the VM session? If it's bridged, I think it bypasses
> iptables, etc. You didn't mention where you had iptables setup, I'm
> assuming it's on the host OS.
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
:wq!
---------------------------------------------------------------------------
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
More information about the Ale
mailing list