Hi folks,
Hope everyone is doing alright.
I am having trouble with my new IPTables firewall. In this case, the firewall houses some VMs which provide various services like DHCP, DNS, Web, etc. (I am on a big consolidation kick lately). Because of the VMs, I am using bridged networking on the internal interface for the firewall.
Here is the diagram:
(Teh Intarweb) --> eth0 (hardware) -> MASQ -> br0
br0 is comprised of:
eth2, vmnet0, vmnet1, vmnet2. Clearly the vmnetX's are the KVM boxes I am running. I cna confirm that before I did the MASQ, I could access the internet from any of these machines, but now I would like to make the host PC the firewall and not use the IPCop machine I have been using (reliably) for years.
br0 has an address of 172.27.20.1/24, while vmnet0's OS has 172.27.20.2, vmnet1 has 172.27.20.4, and vmnet2 is 172.27.20.7. A reminder that eth0 (external interface to my Rogers internet) has not been bridged. It gets an IP and the host OS can surf the web without issue.
Here is my firewall script for your reference. I pray an iptables guru may come upon this thread and provide guidance.
Thanks!
----------------------
Hope everyone is doing alright.
I am having trouble with my new IPTables firewall. In this case, the firewall houses some VMs which provide various services like DHCP, DNS, Web, etc. (I am on a big consolidation kick lately). Because of the VMs, I am using bridged networking on the internal interface for the firewall.
Here is the diagram:
(Teh Intarweb) --> eth0 (hardware) -> MASQ -> br0
br0 is comprised of:
eth2, vmnet0, vmnet1, vmnet2. Clearly the vmnetX's are the KVM boxes I am running. I cna confirm that before I did the MASQ, I could access the internet from any of these machines, but now I would like to make the host PC the firewall and not use the IPCop machine I have been using (reliably) for years.
br0 has an address of 172.27.20.1/24, while vmnet0's OS has 172.27.20.2, vmnet1 has 172.27.20.4, and vmnet2 is 172.27.20.7. A reminder that eth0 (external interface to my Rogers internet) has not been bridged. It gets an IP and the host OS can surf the web without issue.
Here is my firewall script for your reference. I pray an iptables guru may come upon this thread and provide guidance.
Thanks!
----------------------
Code:
#!/bin/bash
# Version 0.1 of the new firewall configuration... here goes nothing!!!
# Josh Burstyn, June 04, 2008.
# /etc/firewall_start.sh
clear
echo -e ""
echo -e ""
echo -e "\aStarting up the firewall..."
echo -e ""
echo -e "Disabling STP on the bridges... Performance++"
brctl stp br0 off
brctl stp br1 off
echo -e ""
echo -e "Flushing existing rules down the toilet..."
iptables -F
iptables -F -t nat
iptables -F -t mangle
echo -e ""
echo -e "Deleting any predefined chains..."
iptables -X
echo -e ""
echo -e "Setting up forwarding in the kernel..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -e ""
echo -e "Making the default local POLICY secure..."
iptables -P INPUT DROP
echo -e ""
echo -e "Making 'lo' a trusted device..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo -e ""
echo -e "Allowing established connections back into our network..."
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -e ""
echo -e "Allowing SSH connections to the local machine from outside..."
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
echo -e ""
echo -e "Allowing VPN traffic to enter the network via ppp interfaces..."
iptables -A INPUT -i ppp+ -j ACCEPT
echo -e ""
echo -e "Allowing traffic routed to the internal (InternetStylist) interface..."
iptables -A INPUT -i br0 -j ACCEPT
echo -e ""
echo -e "Allowing UDP traffic on the external interface (VPN ports)..."
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT iptables -A INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT
echo -e ""
echo -e "Allowing TCP traffic on the external interface (VPN ports)..."
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT
echo -e ""
echo -e "Time to load the NAT modules if it hasn't already been inserted..."
modprobe iptable_nat
echo -e ""
echo -e "Setting FORWARD'ed packets to drop unless there's an ongoing conn..."
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo -e ""
echo -e "Setup the NAT'ing (MASQ) from eth0 to br0..."
iptables -t nat -A POSTROUTING -o eth0 -s 172.27.20.0/24 -j MASQUERADE
echo -e ""
echo -e "Allowing traffic to freely flow on the br1 interface..."
iptables -A INPUT -i br1 -j ACCEPT
iptables -A OUTPUT -o br1 -j ACCEPT
echo -e ""
echo -e "Allowing traffic to freely flow on the br0 interface..."
iptables -A INPUT -i br0 -j ACCEPT
iptables -A OUTPUT -o br0 -j ACCEPT
echo -e ""
echo -e "Done the configuration... relax!"