Host firewall -- SOLVED [message #3022] |
Mon, 08 May 2006 15:44 |
ferp2
Messages: 29 Registered: May 2006
|
Junior Member |
|
|
Hello,
I have a generic firewall script that normally runs fine, but is giving me access problems between the host system and the vps. The firewall is set up for connections tracking using:
/sbin/modprobe ip_conntrack "ip_conntrack_enable_ve0=1"
With the host system firewall activated:
- I cannot ping a vps from the host system. The message I get is:
ping: sendmsg: Operation not permitted
- I cannot ping the host system from the vps either.
- I can successfully ping a separate machine on the same subnet from the host system.
- I can successfully ping the host system from a separate machine on the same subnet.
With the INPUT and OUTPUT policy set to ACCEPT, or the host system firewall deactivated:
- I can successfully ping a vps from the host system.
- I can successfully ping the host system from the vps.
How do I maintain the INPUT and OUTPUT policy set to DROP on the host system, and yet still be able to successfully ping the vps from the host system and vice-versa.
Thank you.
[Updated on: Thu, 11 May 2006 12:45] Report message to a moderator
|
|
|
|
|
|
|
|
Re: Host firewall [message #3066 is a reply to message #3022] |
Wed, 10 May 2006 13:03 |
ferp2
Messages: 29 Registered: May 2006
|
Junior Member |
|
|
vps:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Tried the following:
set host input policy to accept and output policy to deny = vps can ping host, host cannot ping vps.
set host output policy to accept and input policy to deny = vps cannot ping host, host can ping vps.
Here are the host iptables rules:
# Path to executable
IPT="/sbin/iptables"
# Enable OVZ kernel conntracks in host system
/sbin/modprobe ip_conntrack "ip_conntrack_enable_ve0=1"
# Enable FTP connection tracking
#/sbin/modprobe ip_conntrack_ftp
# Open ports for limited access
OPENPORTS="22"
# INTERFACES
INTERFACE="eth0" # Internet-connected interface
LOOPBACK_INTERFACE="lo" # Loopback interface
IPADDR="192.168.0.7"
# NETWORKS
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
# SUBNET
LAN="192.168.0.0/24"
# PORTS
PRIVPORTS="0:1023" # privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
# ==============================
# Reset chains and set policies
# ==============================
# Remove any existing rules from all chains
$IPT -t filter --flush
$IPT -t nat --flush
$IPT -t mangle --flush
# Set default policy for all chains
# filter
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD ACCEPT
# Don't set nat and mangle tables to DROP unless
# you know what you're doing
# nat
#$IPT -t nat --policy PREROUTING DROP
#$IPT -t nat --policy OUTPUT DROP
#$IPT -t nat --policy POSTROUTING DROP
# mangle
#$IPT -t mangle --policy PREROUTING DROP
#$IPT -t mangle --policy OUTPUT DROP
# Remove any pre-existing user-defined chains
$IPT -t filter --delete-chain
#$IPT -t nat --delete-chain
#$IPT -t mangle --delete-chain
# ================================================
# Using connection state to by-pass rule checking
# ================================================
# Using the state module alone, INVALID will break protocols that use
# bi-directional connections or multiple connections or exchanges,
# unless an ALG is provided for the protocol. At this time, FTP and
# IRC are the only protocols with ALG support.
$IPT -I INPUT 1 -p ALL -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -I OUTPUT 1 -p ALL -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# above 2 rules allow response to future rules using --state NEW
# Give this computer unrestricted access to the internet
$IPT -A OUTPUT -p ALL -o $INTERFACE -j ACCEPT
# Set traffic on the loopback interface to unrestricted
$IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ===================================
# Allow lan to ping host
#$IPT -A INPUT -i $INTERFACE -p icmp \
#--icmp-type echo-request -s $LAN \
#-d $IPADDR -m state --state NEW -j ACCEPT
# Allow LAN/PORTA to ping host
$IPT -A INPUT -i $INTERFACE -p icmp -s $LAN \
--icmp-type echo-request -d $IPADDR -j ACCEPT
$IPT -A OUTPUT -o $INTERFACE -p icmp -s $IPADDR \
--icmp-type echo-reply -d $LAN -j ACCEPT
# ===================================
# Allow limited access to host
for f in $OPENPORTS; do
$IPT -A INPUT -i $INTERFACE -p tcp \
-s $LAN -d $IPADDR --dport $f \
-m state --state NEW -j ACCEPT
done
Hope this helps.
|
|
|
|
Re: Host firewall [message #3086 is a reply to message #3075] |
Thu, 11 May 2006 12:44 |
ferp2
Messages: 29 Registered: May 2006
|
Junior Member |
|
|
Yes, that's the solution. I should have realized communication between the host and vps occurs on the venet0 interface.
Thanks for your help.
|
|
|