0

Is it possible on linux to have a whitelist of IP's that are allowed to reach a specific VM on the internal NAT? eg (public ip (proxmox) --> My VM for whitelisted IP's (192.168.0.1)), and if the traffic is not on the whitelist just route it to 192.168.0.2 ?

The problem is that a certain service is suffering from attacks, so I want users to register on a website before they can connect to the real deal. (and if anyone tries, they will connect to a dummy server on 192.168.0.2 which will catch all the attacks and display a message for users they need to register before connecting)

(if anyone needs visualization to make it easier, because maybe my storywriting skills aren't that good, here is a link: http://i.imgur.com/BCCkhmm.png)

enter image description here

Additional question: Is it somehow possible for packets with a certain signature (for example QUERY packets) to be always allowed for any ip, even non whitelisted (redirect this traffic where whitelisted traffic goes)?

Gizmo
  • 279
  • 2
  • 11

1 Answers1

1

You can selectively DNAT based on source IP address.

for example:

ipset destroy whitelist # this may error the first time
ipset create whitelist hash:ip hashsize 32768
ipset -A whitelist <ip_address1>
ipset -A whitelist <ip_address2>
iptables -t nat -A PREROUTING -p tcp --dport 80 -m set --match-set whitelist -j DNAT --to 192.168.0.1
iptables -t nat -A PREROUTING -p tcp --dport 80 -m set ! --match-set whitelist -j DNAT --to 192.168.0.2

You may still need other rules for -t filter -A FORWARD to allow the connections across, and ip_forward needs to be enabled, which it should already be on proxmox.

Andrew Domaszek
  • 5,103
  • 1
  • 14
  • 26
  • whoa sounds nice :D what does the hash:ip 32768 do? as far as I'm concerned one ip==4bytes max or 32768 bytes here? also, it's possible to do FROM ports 7777 TO 192.168.0.1:7777 for whitelist and FROM 7777 TO 192.168.0.1:7778 for non-whitelisted? – Gizmo Nov 20 '14 at 09:41
  • also I'm not a linux expert, but is the command compatible when I open ports like this: (got it from internet) `iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 7777 -j DNAT --to 192.168.0.1:7777` – Gizmo Nov 20 '14 at 09:49
  • That would work. Just add the -m set --match-set stuff. – Andrew Domaszek Nov 20 '14 at 09:50
  • Nice :) Also I updated the question if you don't mind :$ one more small thing (at the bottom), or at least I hope it's small. – Gizmo Nov 20 '14 at 09:53
  • if redirecting certain packets is not possible I'll just accept the answer :) – Gizmo Nov 20 '14 at 11:28
  • i'm getting an error --match-set requires two args? – Gizmo Nov 21 '14 at 02:52
  • Okay kinda fixed it myself, but there are still problems, the commands which I used: `iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 7777 -m set --match-set whitelist src -j DNAT --to 192.168.0.1:7777 iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 7777 -m set ! --match-set whitelist src -j DNAT --to 192.168.0.1:7778` – Gizmo Nov 21 '14 at 03:03
  • the problem is that when I do `ipset -A whitelist 82.162.65.65` I still can't reach port 7777, I'm always being redirected to port 7778 – Gizmo Nov 21 '14 at 03:03
  • ah okay it eventually does get redirected but it takes a long time to apply, is there some setting to apply it imeadiately? – Gizmo Nov 21 '14 at 03:10
  • Probably not, you could flush the connection out of conntrack, but you'd have to do it manually. – Andrew Domaszek Nov 21 '14 at 04:13