Iptables Basics - Drop Packets To Local Network

[ascorbic]

I have a virtual machine on my network which I do not want to be able to access the local network. My router runs dd-wrt. The virtual machine is running within esxi. I looked into vlans, but that seems like it would segment the entire virtual server. I only want one specific virtual machine to be segmented so that it can only access the internet.

I am thinking that adding an IPTables rule to drop all local traffic from that ip/mac address would be the best solution, but I am more than open to other suggestions. I am not worried about ip/mac address spoofing.

Do you have any other suggestion? If not what would the IPTables rule look like?

Thanks!

[ZazenSec]

Honestly a deny all access list for it would probably work better, but I don't think DD-WRT has that type of functionality. Another way would be to use the deny feature using the Access Restrictions. But for adding for an IP table, the command would look something like this:

iptables -I FORWARD -d IP ADDRESS -j DROP

Or if you wanted it to generate a log to see if someones really trying to get into it, use:

iptables -I FORWARD -d IP ADDRESS -j logdrop

[ascorbic]

Honestly a deny all access list for it would probably work better, but I don't think DD-WRT has that type of functionality. Another way would be to use the deny feature using the Access Restrictions. But for adding for an IP table, the command would look something like this:

iptables -I FORWARD -d IP ADDRESS -j DROP

Or if you wanted it to generate a log to see if someones really trying to get into it, use:

iptables -I FORWARD -d IP ADDRESS -j logdrop

Thanks for the reply. It looks like the access restriction features of dd-wrt only can deny outgoing (internet) traffic. I want to only allow internet traffic and deny all local traffic.

How does this iptables rules allow internet access but deny local intranet traffic?

[ZazenSec]

You want to treat it like it's on a DMZ?

[ascorbic]

You want to treat it like it's on a DMZ?

Almost. I am going to forward a few ports to that machine but I am also going to open up RDP. I do not want the external RRP users to be able to access my local network. I have little doubt they will try so I want a basic level of security to protect against it.

[ZazenSec]

Well, your issue is this. iptables won't filter traffic on the same subnet. The only thing I can think of(others may have more input as I'm not to hot with DD-WRT) is to make a vlan, then apply an iptable to that vlan to allow/deny traffic. Let me tinker with something real quick.

[ascorbic]

Well, your issue is this. iptables won't filter traffic on the same subnet. The only thing I can think of(others may have more input as I'm not to hot with DD-WRT) is to make a vlan, then apply an iptable to that vlan to allow/deny traffic. Let me tinker with something real quick.

Ahh interesting... Yes all the machines are on the same subnet. The problem with the VLAN, at least that it seems to me, is that it will filter out the entire virtual server. There is only one physical ethernet cable connected to the physical machine, but there are a few virtual machines.

I feel like this has to be possible. When you buy a virtual server from godaddy, you cannot access local traffic. I am basically trying to mimic the same setup.

[ZazenSec]

Virtual machines will still have their own IP addresses so you can filter by that as long as they're on another vlan.

This *might* work. But I don't have your type of setup so I really can't test it.

iptables -I FORWARD 1 -s 192.168.1.xx -d 192.168.2.xx -p tcp -m multiport --dports 21,80,443,3389 -j ACCEPT

iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD 3 -s 192.168.1.xx -d 192.168.2.xx -p all -j DROP

Pretty much it says if your source is trying to get to this destination, only allow this protocol(TCP) and only allow it to access these ports. If it's anything else trying to get to this IP, drop the traffic.

And GoDaddy has quite a large infrastructure with some pretty crazy virtual switch and layer 3 switch setups. :P

Edited September 4, 2011 by ZazenSec

[ascorbic]

Thanks, I will give this a try this evening.

[Mr-Protocol]

That's a lot of headache when you can setup in your virtual machine software a local VM network.

Or in the router, maybe something like:

Filter Internet NAT Redirection. This feature uses port forwarding to block access to local servers from local networked computers. Select Enabled to filter Internet NAT redirection, or Disabled to disable this feature.

[ascorbic]

That's a lot of headache when you can setup in your virtual machine software a local VM network.

Or in the router, maybe something like:

Filter Internet NAT Redirection. This feature uses port forwarding to block access to local servers from local networked computers. Select Enabled to filter Internet NAT redirection, or Disabled to disable this feature.

I tried messing around with the Virtual Networks in ESXi, but it seems like the best I can do is segment the VM from other VMs, not from the rest of the local network.

[Mr-Protocol]

What about NAT mode?

http://communities.vmware.com/docs/DOC-2527

Assuming you are using VMWare, but VBox has a NAT mode as well.

Then make the VM NAT a different subnet from your other local network.

Edited September 4, 2011 by Mr-Protocol

[ascorbic]

It looks like ESXi does not support NAT mode. It seems like to solution here is to emulate a router (such as smoothwall) and run all other VMs through smoothwall.

[Infiltrator]

It looks like ESXi does not support NAT mode. It seems like to solution here is to emulate a router (such as smoothwall) and run all other VMs through smoothwall.

No it doesn't, simply configure the VMs to use IP addresses in the desired range and add a virtual router which does the NAT or as your suggested a firewall like Smoothwall or Pfsense.

[Mr-Protocol]

It looks like ESXi does not support NAT mode. It seems like to solution here is to emulate a router (such as smoothwall) and run all other VMs through smoothwall.

Did you try running a VM NAT that isn't in the same subnet as your local network?