3

I have a dedicated server (which I only use a lab/testing environment). On the server CentOS 5.6 is running and it is functioning as a KVM host.

To secure things a little I want to do the following use 'iptables' to only allow traffic from certain IP addresses (my own addresses).

My current iptables configuration is looking as following:

[kvm]# iptables -L -v
Chain INPUT (policy ACCEPT 4927K packets, 6424M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   41  2744 ACCEPT     udp  --  virbr0 any     anywhere             anywhere            udp dpt:domain 
    0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere            tcp dpt:domain 
   66 21810 ACCEPT     udp  --  virbr0 any     anywhere             anywhere            udp dpt:bootps 
    0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere            tcp dpt:bootps 
3573K 3515M fail2ban-SSH  tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 470K  700M ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 
 171K 9558K ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere            
    0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere            
    0     0 REJECT     all  --  any    virbr0  anywhere             anywhere            reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  virbr0 any     anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT 3115K packets, 5798M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     somehost1.net        anywhere            
   19  2176 DROP       all  --  any    any     somehost2.net        anywhere            
   21  1668 DROP       all  --  any    any     somehost3.net        anywhere            
3573K 3515M RETURN     all  --  any    any     anywhere             anywhere

I did not make any changes myself to the iptables configuration although I think that KVM (virt-manager or the like) and fail2ban that made some changes to it.

Could somebody help me to create the iptables script that ensures that KVM is still working but only traffic from certain IP address is allowed. ALL the rest can be dropped. There should not be any restriction from the server itself to the Internet.

Update: as requested output above is now with -v.

Caleb
  • 11,583
  • 4
  • 35
  • 49
St. Even
  • 31
  • 1
  • 3
  • can you run iptables -L -v so the output contains the interface details – Phil Apr 20 '11 at 10:36
  • On which network the VMs are? Is it the 192.168.122.0/24 private network? Is the KVM host connected directly to the internet? Please post the output of `route -n`. – Eduardo Ivanec Apr 20 '11 at 11:52
  • You are correct, the VMs are on 192.168.122.0/24. The KVM host is connected directly to the Internet with a public IP address. `[kvm]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface xxx.yyy.zzz.www 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 xxx.yyy.zzz.www 0.0.0.0 UG 0 0 0 eth0` – St. Even Apr 20 '11 at 13:35
  • Related: http://unix.stackexchange.com/questions/11851/iptables-allow-certain-ips-and-block-all-other-connection – kolypto Mar 13 '14 at 22:15

2 Answers2

5
# Set default action to drop anything not explicitly allowed
iptables -P INPUT DROP
# Allow an incoming connection from 192.168.0.1
iptables -I INPUT -s 192.168.0.1 -j ACCEPT
# Allow incoming packets from a self initiated connection to "outside"
itpables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This should work. Replace 192.168.0.1 with an IP address you want to have access.
Be careful, all other connections will be dropped (including your own one, if you are connected via SSH or telnet).

GitaarLAB
  • 101
  • 4
Casper
  • 51
  • 1
  • 1
    After the 1st command is entered, the current SSH connection is immediately blocked, careful! – kolypto Mar 13 '14 at 21:17
0

keeping the VM on a NAT-ed link will seriously hit it's preformance, using bridged networking is much faster and more efficient. The more simple setup would be to set up a bridge, and configure the VM's own firewall to drop whatever is unwanted

dyasny
  • 18,482
  • 6
  • 48
  • 63