[Users] Network firewall doubts on allinone setup
Adrian Gibanel
adrian.gibanel at btactic.com
Wed Dec 19 09:31:32 EST 2012
First I describe my firewall setup:
Default firewall content
( /etc/sysconfig/iptables )
----------------------------------
# Generated by ovirt-engine installer
#filtering rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:9697]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 81 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 444 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 875 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 662 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 32803 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 32769 -j ACCEPT
#drop all rule
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
/etc/libvirt/qemu/networks/honly0200.xml
-------------------------------------------------------
<!--
WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
virsh net-edit honly0200
or other application using the libvirt API.
-->
<network>
<name>honly0200</name>
<uuid>09697e5f-e834-8f26-c55e-5866cb1abafc</uuid>
<forward mode='nat'/>
<bridge name='honly0200' stp='on' delay='0' />
<mac address='52:54:00:41:16:38'/>
<ip address='192.168.2.1' netmask='255.255.255.248'>
</ip>
</network>
-----------------------------------------------
So if I run:
service iptables restart
then:
iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 504 153K RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 478 packets, 159K bytes)
num pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source destination
1 374 132K ACCEPT all -- lo any anywhere anywhere
2 0 0 ACCEPT icmp -- any any anywhere anywhere icmp any
3 120 19824 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
4 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
5 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:rfb
6 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:5901
7 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:81
8 8 480 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:snpp
9 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:sunrpc
10 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:sunrpc
11 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:892
12 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:892
13 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:rquotad
14 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:rquotad
15 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:pftp
16 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:pftp
17 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs
18 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:32803
19 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:filenet-rpc
20 2 80 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
And I also get:
iptables -L -v --line-numbers -t nat
Chain PREROUTING (policy ACCEPT 3021 packets, 300K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:50202 to:192.168.2.2:22
2 0 0 DNAT udp -- eth0 any anywhere anywhere udp dpt:50202 to:192.168.2.2:22
Chain INPUT (policy ACCEPT 1296 packets, 78884 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2833 packets, 442K bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2833 packets, 442K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE tcp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535
2 0 0 MASQUERADE udp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535
3 0 0 MASQUERADE all -- any any 192.168.2.0/29 !192.168.2.0/29
So... as I want that honly0200 to have access to the Internet via NAT I restart libvirtd service as it's suggested here:
http://wiki.libvirt.org/page/Guest_can_reach_host,_but_can%27t_reach_outside_network#1.29_The_iptables_rules_setup_on_the_host_has_been_disturbed.
service libvirtd restart
So if I run:
service iptables restart
after libvirtd restarted then:
iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- honly0200 any anywhere anywhere udp dpt:domain
2 0 0 ACCEPT tcp -- honly0200 any anywhere anywhere tcp dpt:domain
3 0 0 ACCEPT udp -- honly0200 any anywhere anywhere udp dpt:bootps
4 0 0 ACCEPT tcp -- honly0200 any anywhere anywhere tcp dpt:bootps
5 29974 10M RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any honly0200 anywhere 192.168.2.0/29 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- honly0200 any 192.168.2.0/29 anywhere
3 0 0 ACCEPT all -- honly0200 honly0200 anywhere anywhere
4 0 0 REJECT all -- any honly0200 anywhere anywhere reject-with icmp-port-unreachable
5 0 0 REJECT all -- honly0200 any anywhere anywhere reject-with icmp-port-unreachable
6 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 22701 packets, 7628K bytes)
num pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references)
num pkts bytes target prot opt in out source destination
1 25844 9124K ACCEPT all -- lo any anywhere anywhere
2 0 0 ACCEPT icmp -- any any anywhere anywhere icmp any
3 3364 921K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
4 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
5 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:rfb
6 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:5901
7 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:81
8 458 27480 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:snpp
9 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:sunrpc
10 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:sunrpc
11 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:892
12 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:892
13 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:rquotad
14 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:rquotad
15 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:pftp
16 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:pftp
17 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:nfs
18 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:32803
19 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:filenet-rpc
20 308 14264 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
And I also get:
iptables -L -v --line-numbers -t nat
Chain PREROUTING (policy ACCEPT 1116 packets, 118K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:50202 to:192.168.2.2:22
2 0 0 DNAT udp -- eth0 any anywhere anywhere udp dpt:50202 to:192.168.2.2:22
Chain INPUT (policy ACCEPT 399 packets, 23940 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 637 packets, 56768 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 637 packets, 56768 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE tcp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535
2 0 0 MASQUERADE udp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535
3 0 0 MASQUERADE all -- any any 192.168.2.0/29 !192.168.2.0/29
So... That's it. The last setup is the one I want it to persist. Well, actually, I also need that an script called from:
/etc/rc.d/rc.local
later modifies firewall rules too. But let's focus on restarting iptables and libvirtd services.
Now I'm going to reboot and you're going to see that its firewall rules are not the expected ones:
iptables -L -v --line-numbers
Chain INPUT (policy ACCEPT 192K packets, 62M bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT udp -- honly0200 any anywhere anywhere udp dpt:domain
2 0 0 ACCEPT tcp -- honly0200 any anywhere anywhere tcp dpt:domain
3 0 0 ACCEPT udp -- honly0200 any anywhere anywhere udp dpt:bootps
4 0 0 ACCEPT tcp -- honly0200 any anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any honly0200 anywhere 192.168.2.0/29 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- honly0200 any 192.168.2.0/29 anywhere
3 0 0 ACCEPT all -- honly0200 honly0200 anywhere anywhere
4 0 0 REJECT all -- any honly0200 anywhere anywhere reject-with icmp-port-unreachable
5 0 0 REJECT all -- honly0200 any anywhere anywhere reject-with icmp-port-unreachable
6 0 0 ACCEPT tcp -- eth0 any anywhere 192.168.2.2 tcp dpt:ssh
7 0 0 ACCEPT udp -- eth0 any anywhere 192.168.2.2 udp dpt:ssh
Chain OUTPUT (policy ACCEPT 191K packets, 61M bytes)
num pkts bytes target prot opt in out source destinatio
and also:
iptables -L -v --line-numbers -t nat
Chain PREROUTING (policy ACCEPT 8683 packets, 933K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:50202 to:192.168.2.2:22
2 0 0 DNAT udp -- eth0 any anywhere anywhere udp dpt:50202 to:192.168.2.2:22
Chain INPUT (policy ACCEPT 2687 packets, 165K bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7602 packets, 936K bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 7602 packets, 936K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE tcp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535
2 0 0 MASQUERADE udp -- any any 192.168.2.0/29 !192.168.2.0/29 masq ports: 1024-65535
3 0 0 MASQUERADE all -- any any 192.168.2.0/29 !192.168.2.0/29
I suppose I will fix this issue by running iptables and libvirtd service restarts at rc.d/rc.local but...
I would like to understand a little bit better what's going under the hood so that I don't have to implement workarounds.
So... any other service that might modify iptables rules? Maybe anyone oVirt specific?
Thank you.
--
--
Adrián Gibanel
I.T. Manager
+34 675 683 301
www.btactic.com
Ens podeu seguir a/Nos podeis seguir en:
i
Abans d´imprimir aquest missatge, pensa en el medi ambient. El medi ambient és cosa de tothom. / Antes de imprimir el mensaje piensa en el medio ambiente. El medio ambiente es cosa de todos.
AVIS:
El contingut d'aquest missatge i els seus annexos és confidencial. Si no en sou el destinatari, us fem saber que està prohibit utilitzar-lo, divulgar-lo i/o copiar-lo sense tenir l'autorització corresponent. Si heu rebut aquest missatge per error, us agrairem que ho feu saber immediatament al remitent i que procediu a destruir el missatge .
AVISO:
El contenido de este mensaje y de sus anexos es confidencial. Si no es el destinatario, les hacemos saber que está prohibido utilizarlo, divulgarlo y/o copiarlo sin tener la autorización correspondiente. Si han recibido este mensaje por error, les agradeceríamos que lo hagan saber inmediatamente al remitente y que procedan a destruir el mensaje .
More information about the Users
mailing list