Skip to content

Instantly share code, notes, and snippets.

@igalic

igalic/Host iptables

Last active December 30, 2015 00:39
Show Gist options
  • Save igalic/7751344 to your computer and use it in GitHub Desktop.
Save igalic/7751344 to your computer and use it in GitHub Desktop.
Download ZIP
VM cannot communicate with world
Raw
host IPs
igalic@bacon ~ % ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
11: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
inet 176.9.39.38/27 brd 176.9.39.63 scope global virbr1
20: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
igalic@bacon ~ % ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
11: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
inet6 2a01:4f8:150:5024::e4:1/112 scope global
valid_lft forever preferred_lft forever
inet6 2a01:4f8:150:5024::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::16da:e9ff:feb3:99b8/64 scope link
valid_lft forever preferred_lft forever
20: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
inet6 2a01:4f8:150:5024::10:1/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe9b:f2ff/64 scope link
valid_lft forever preferred_lft forever
35: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 500
inet6 fe80::fc54:ff:fe33:631d/64 scope link
valid_lft forever preferred_lft forever
igalic@bacon ~ %
Raw
Host iptables
igalic@bacon ~ % sudo iptables-save
# Generated by iptables-save v1.4.12 on Mon Dec 2 16:37:12 2013
*nat
:PREROUTING ACCEPT [15590:962380]
:INPUT ACCEPT [383:18942]
:OUTPUT ACCEPT [21641:1493556]
:POSTROUTING ACCEPT [23729:1615627]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Mon Dec 2 16:37:12 2013
# Generated by iptables-save v1.4.12 on Mon Dec 2 16:37:12 2013
*mangle
:PREROUTING ACCEPT [204128:123778164]
:INPUT ACCEPT [185828:122662762]
:FORWARD ACCEPT [10861:711642]
:OUTPUT ACCEPT [196840:82667347]
:POSTROUTING ACCEPT [202586:82998938]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Mon Dec 2 16:37:12 2013
# Generated by iptables-save v1.4.12 on Mon Dec 2 16:37:12 2013
*filter
:INPUT DROP [69:3876]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [71:5964]
:fail2ban-ssh - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A fail2ban-ssh -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] "
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -s 192.168.122.0/24 -p tcp -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Mon Dec 2 16:37:12 2013
igalic@bacon ~ %
Raw
host routes
igalic@bacon ~ % ip -4 r
default via 176.9.39.33 dev virbr1 metric 100
176.9.39.32/27 via 176.9.39.33 dev virbr1
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
igalic@bacon ~ % ip -6 r
2a01:4f8:150:5024::10:0/112 dev virbr0 proto kernel metric 256
2a01:4f8:150:5024::e4:0/112 dev virbr1 proto kernel metric 256
2a01:4f8:150:5024::/64 dev virbr1 proto kernel metric 256
fe80::/64 dev virbr1 proto kernel metric 256
fe80::/64 dev virbr0 proto kernel metric 256
fe80::/64 dev vnet0 proto kernel metric 256
default via fe80::1 dev virbr1 metric 1024
igalic@bacon ~ %
Raw
network interfaces
### Hetzner's default network, modified to fit a bridge
# Loopback device:
auto lo
iface lo inet loopback
# device: eth0
auto virbr1
iface virbr1 inet static
address 176.9.39.38
broadcast 176.9.39.63
netmask 255.255.255.224
gateway 176.9.39.33
bridge_ports eth0
bridge_stp on
bridge_maxwait 0
# Set-up IPv6 and Hetzner routes
# guarantee idempotency:
pre-up ip addr del 2a01:4f8:150:5024::1/64 dev virbr1 || true
pre-up ip addr del 2a01:4f8:150:5024::e4:1/112 dev virbr1 || true
# add IPv6 address, e4 == "external" IPv6 network
up ip addr add 2a01:4f8:150:5024::1/64 dev virbr1
up ip addr add 2a01:4f8:150:5024::e4:1/112 dev virbr1
# default route to access subnet
# idempotency here is easier, because we have 'replace'
up ip route replace to 176.9.39.32/255.255.255.224 via 176.9.39.33 dev virbr1
# add Hetzner IPv6 route
up ip route replace default via fe80::1 dev virbr1
Raw
ping fails
root@pgdb01:~# # ping the host
root@pgdb01:~# ping -c1 192.168.122.1
PING 192.168.122.1 (192.168.122.1) 56(84) bytes of data.
64 bytes from 192.168.122.1: icmp_req=1 ttl=64 time=0.172 ms
--- 192.168.122.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.172/0.172/0.172/0.000 ms
root@pgdb01:~# # ping the external interface of the host
root@pgdb01:~# ping -c1 176.9.39.38
PING 176.9.39.38 (176.9.39.38) 56(84) bytes of data.
64 bytes from 176.9.39.38: icmp_req=1 ttl=64 time=0.163 ms
--- 176.9.39.38 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.163/0.163/0.163/0.000 ms
root@pgdb01:~# # ping the host's router
root@pgdb01:~# ping 176.9.39.33
PING 176.9.39.33 (176.9.39.33) 56(84) bytes of data.
From 192.168.122.1 icmp_seq=1 Destination Port Unreachable
From 192.168.122.1 icmp_seq=2 Destination Port Unreachable
From 192.168.122.1 icmp_seq=3 Destination Port Unreachable
^C
--- 176.9.39.33 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1999ms
root@pgdb01:~#
Raw
vm IPs
root@pgdb01:~# ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 192.168.122.11/24 brd 192.168.122.255 scope global eth0
valid_lft forever preferred_lft forever
root@pgdb01:~# ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
inet6 2a01:4f8:150:5024::10:11/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe33:631d/64 scope link
valid_lft forever preferred_lft forever
root@pgdb01:~#
Raw
vms iptables
root@pgdb01:~# sudo iptables-save
# Generated by iptables-save v1.4.12 on Mon Dec 2 15:38:35 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [403:33852]
:fail2ban-ssh - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A fail2ban-ssh -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-logging-forward -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -j LOG --log-prefix "[UFW AUDIT INVALID] "
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Mon Dec 2 15:38:35 2013
root@pgdb01:~#
Raw
vms route
root@pgdb01:~# ip -4 r
default via 192.168.122.1 dev eth0 metric 100
192.168.122.0/24 dev eth0 proto kernel scope link src 192.168.122.11
root@pgdb01:~# ip -6 r
2a01:4f8:150:5024::10:0/112 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via 2a01:4f8:150:5024::10:1 dev eth0 metric 1024
default via fe80::5054:ff:fe9b:f2ff dev eth0 proto ra metric 1024 expires 1750sec
root@pgdb01:~#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment