Jump to content

Iptables Basics - Drop Packets To Local Network


ascorbic
 Share

Recommended Posts

I have a virtual machine on my network which I do not want to be able to access the local network. My router runs dd-wrt. The virtual machine is running within esxi. I looked into vlans, but that seems like it would segment the entire virtual server. I only want one specific virtual machine to be segmented so that it can only access the internet.

I am thinking that adding an IPTables rule to drop all local traffic from that ip/mac address would be the best solution, but I am more than open to other suggestions. I am not worried about ip/mac address spoofing.

Do you have any other suggestion? If not what would the IPTables rule look like?

Thanks!

Link to comment
Share on other sites

Honestly a deny all access list for it would probably work better, but I don't think DD-WRT has that type of functionality. Another way would be to use the deny feature using the Access Restrictions. But for adding for an IP table, the command would look something like this:

iptables -I FORWARD -d IP ADDRESS -j DROP

Or if you wanted it to generate a log to see if someones really trying to get into it, use:

iptables -I FORWARD -d IP ADDRESS -j logdrop

Link to comment
Share on other sites

Honestly a deny all access list for it would probably work better, but I don't think DD-WRT has that type of functionality. Another way would be to use the deny feature using the Access Restrictions. But for adding for an IP table, the command would look something like this:

iptables -I FORWARD -d IP ADDRESS -j DROP

Or if you wanted it to generate a log to see if someones really trying to get into it, use:

iptables -I FORWARD -d IP ADDRESS -j logdrop

Thanks for the reply. It looks like the access restriction features of dd-wrt only can deny outgoing (internet) traffic. I want to only allow internet traffic and deny all local traffic.

How does this iptables rules allow internet access but deny local intranet traffic?

Link to comment
Share on other sites

You want to treat it like it's on a DMZ?

Almost. I am going to forward a few ports to that machine but I am also going to open up RDP. I do not want the external RRP users to be able to access my local network. I have little doubt they will try so I want a basic level of security to protect against it.

Link to comment
Share on other sites

Well, your issue is this. iptables won't filter traffic on the same subnet. The only thing I can think of(others may have more input as I'm not to hot with DD-WRT) is to make a vlan, then apply an iptable to that vlan to allow/deny traffic. Let me tinker with something real quick.

Link to comment
Share on other sites

Well, your issue is this. iptables won't filter traffic on the same subnet. The only thing I can think of(others may have more input as I'm not to hot with DD-WRT) is to make a vlan, then apply an iptable to that vlan to allow/deny traffic. Let me tinker with something real quick.

Ahh interesting... Yes all the machines are on the same subnet. The problem with the VLAN, at least that it seems to me, is that it will filter out the entire virtual server. There is only one physical ethernet cable connected to the physical machine, but there are a few virtual machines.

I feel like this has to be possible. When you buy a virtual server from godaddy, you cannot access local traffic. I am basically trying to mimic the same setup.

Link to comment
Share on other sites

Virtual machines will still have their own IP addresses so you can filter by that as long as they're on another vlan.

This *might* work. But I don't have your type of setup so I really can't test it.

iptables -I FORWARD 1 -s 192.168.1.xx -d 192.168.2.xx -p tcp -m multiport --dports 21,80,443,3389 -j ACCEPT

iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD 3 -s 192.168.1.xx -d 192.168.2.xx -p all -j DROP

Pretty much it says if your source is trying to get to this destination, only allow this protocol(TCP) and only allow it to access these ports. If it's anything else trying to get to this IP, drop the traffic.

And GoDaddy has quite a large infrastructure with some pretty crazy virtual switch and layer 3 switch setups. :P

Edited by ZazenSec
Link to comment
Share on other sites

That's a lot of headache when you can setup in your virtual machine software a local VM network.

Or in the router, maybe something like:

Filter Internet NAT Redirection. This feature uses port forwarding to block access to local servers from local networked computers. Select Enabled to filter Internet NAT redirection, or Disabled to disable this feature.

Link to comment
Share on other sites

That's a lot of headache when you can setup in your virtual machine software a local VM network.

Or in the router, maybe something like:

Filter Internet NAT Redirection. This feature uses port forwarding to block access to local servers from local networked computers. Select Enabled to filter Internet NAT redirection, or Disabled to disable this feature.

I tried messing around with the Virtual Networks in ESXi, but it seems like the best I can do is segment the VM from other VMs, not from the rest of the local network.

Link to comment
Share on other sites

It looks like ESXi does not support NAT mode. It seems like to solution here is to emulate a router (such as smoothwall) and run all other VMs through smoothwall.

No it doesn't, simply configure the VMs to use IP addresses in the desired range and add a virtual router which does the NAT or as your suggested a firewall like Smoothwall or Pfsense.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...