FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 12-28-2011, 01:30 AM
Tom Horsley
 
Default bridges, NAT, virtual machines, brain hurt :-).

I'd like to make a Windows virtual machine that has access to
the outside world but is completely blocked from access to my
local area network (other than whatever forwarding and routing
has to happen on my LAN).

The idea is to make a virtual windows box which can suffer
any ill effects of unsafe browsing practices, while preventing
any of those effects from escaping into my LAN. (Then if I
use a qcow2 image with a backing file, I can reset the machine
to its original undamaged state by simply regenerating a
new qcow2 image).

I keep thinking along the lines of setting up a new bridge
on a separate subnet and doing some sort of NAT routing,
but details escape me. I can write those words, but have no
idea how to actually accomplish what I want (especially how
to restrict the NAT to the outside world and prevent any
access to local LAN).

I keep thinking this should have been dome by someone already
and there should be examples out there, anyone know of any?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-28-2011, 01:56 AM
Craig White
 
Default bridges, NAT, virtual machines, brain hurt :-).

On Tue, 2011-12-27 at 21:30 -0500, Tom Horsley wrote:
> I'd like to make a Windows virtual machine that has access to
> the outside world but is completely blocked from access to my
> local area network (other than whatever forwarding and routing
> has to happen on my LAN).
>
> The idea is to make a virtual windows box which can suffer
> any ill effects of unsafe browsing practices, while preventing
> any of those effects from escaping into my LAN. (Then if I
> use a qcow2 image with a backing file, I can reset the machine
> to its original undamaged state by simply regenerating a
> new qcow2 image).
>
> I keep thinking along the lines of setting up a new bridge
> on a separate subnet and doing some sort of NAT routing,
> but details escape me. I can write those words, but have no
> idea how to actually accomplish what I want (especially how
> to restrict the NAT to the outside world and prevent any
> access to local LAN).
>
> I keep thinking this should have been dome by someone already
> and there should be examples out there, anyone know of any?
----
decent routers have the option for a 'DMZ' host that will achieve what
you want without any effort.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-28-2011, 02:05 AM
夜神 岩男
 
Default bridges, NAT, virtual machines, brain hurt :-).

On 12/28/2011 11:56 AM, Craig White wrote:

On Tue, 2011-12-27 at 21:30 -0500, Tom Horsley wrote:

I keep thinking along the lines of setting up a new bridge
on a separate subnet and doing some sort of NAT routing,
but details escape me. I can write those words, but have no
idea how to actually accomplish what I want (especially how
to restrict the NAT to the outside world and prevent any
access to local LAN).

I keep thinking this should have been dome by someone already
and there should be examples out there, anyone know of any?

----
decent routers have the option for a 'DMZ' host that will achieve what
you want without any effort.


Searches for how to setup a DMZ or "iptables DMZ" or whatever are also
pretty fruitful -- and its exactly what you're looking for. (Doing it
yourself is more fun, imho. But "fun" == "takes time" so...)

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-28-2011, 03:03 PM
Ian Pilcher
 
Default bridges, NAT, virtual machines, brain hurt :-).

What does your existing network look like?

--
================================================== ======================
Ian Pilcher arequipeno@gmail.com
"If you're going to shift my paradigm ... at least buy me dinner first."
================================================== ======================

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-28-2011, 03:35 PM
Tom Horsley
 
Default bridges, NAT, virtual machines, brain hurt :-).

On Wed, 28 Dec 2011 10:03:50 -0600
Ian Pilcher wrote:

> What does your existing network look like?

Here's some mail I just tried to send the netfilter mailing
list (you never know if it is going to get through though):

In my setup "br0" is the bridge that the physical interface
and all my "normal" KVMs are attached to. It uses the
192.168.100.0/24 address range.

The "bifrost" bridge is not connected to a physical interface.
I have assigned it address 10.10.10.1 and the KVM I want to
isolate uses it as a gateway and has static IP 10.10.10.2.

Here are the commands that do indeed seem to setup a working
NAT for the KVM.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -A FORWARD -i br0 -o bifrost -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i bifrost -o br0 -j ACCEPT

Bearing in mind that I mostly cut & paste iptable rules and
can only partially understand the stuff I read in the iptables
man pages and wot-not, is anyone willing to tell me exactly
what to change/add to prevent the KVM connected to bifrost
from talking to my local LAN and vice versa? (I have a
feeling I could understand the rules if someone told
me what they should be, but absorbing everything
in the man page then deducing what I need to do is beyond
my poor brain :-).

Tanks in advance for any help.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-29-2011, 03:44 PM
Ian Pilcher
 
Default bridges, NAT, virtual machines, brain hurt :-).

OK, I have a few comments and suggestions. Worth every cent you paid
for them.

On 12/28/2011 10:35 AM, Tom Horsley wrote:
> echo 1 > /proc/sys/net/ipv4/ip_forward

You'll want to make this persistent by setting net.ipv4.ip_forward = 1
in /etc/sysctl.conf.

> iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE

This rule is catching everything going out br0, including local traffic.
I would do something like:

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o br0 -j MASQUERADE

> iptables -A FORWARD -i br0 -o bifrost -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i bifrost -o br0 -j ACCEPT

These two rules allow your "DMZ" machine to make connections to pretty
much anything. I would suggest the following.

First, allow the DMZ machine to make connections to hosts that are not
on your local network:

iptables -A FORWARD -i bifrost ! -d 192.168.100.0/24 -j ACCEPT

Then allow traffic on *all* established connections.

iptables -A FORWARD -m state --state RELATED,ESTABLISHED, -j ACCEPT

This combination will restrict the DMZ guest from initiating connections
to machines on your local network, but you'll still be able to make
inbound connections the other way, if you wish.

One very important note is that you also need to add appropriate rules
to the INPUT chain on your host. The rules in the FORWARD chain don't
affect traffic destined for the local host.

Personally, I find bifrost to be an extremely weird name for a network
interface. I would recommend using something that is more obviously an
interface; it makes reading the iptables stuff much easier.

HTH

--
================================================== ======================
Ian Pilcher arequipeno@gmail.com
"If you're going to shift my paradigm ... at least buy me dinner first."
================================================== ======================

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-29-2011, 05:02 PM
Tom Horsley
 
Default bridges, NAT, virtual machines, brain hurt :-).

On Thu, 29 Dec 2011 10:44:05 -0600
Ian Pilcher wrote:

> OK, I have a few comments and suggestions. Worth every cent you paid
> for them.

They seem more valuable than that! Thanks.

> You'll want to make this persistent by setting net.ipv4.ip_forward = 1
> in /etc/sysctl.conf.

Yea, I was going to worry about making everything permanent
after I got it to work.

> This combination will restrict the DMZ guest from initiating connections
> to machines on your local network, but you'll still be able to make
> inbound connections the other way, if you wish.

That's the most important bit. I want nothing evil downloaded in
the isolated machine to be able to escape :-).

> Personally, I find bifrost to be an extremely weird name for a network

Ah, but it is a bridge, and what bridge is more famous and bifrost? :-).

> interface. I would recommend using something that is more obviously an
> interface; it makes reading the iptables stuff much easier.

I'm not sure anything can help reading iptables rules.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-29-2011, 05:13 PM
Tom Horsley
 
Default bridges, NAT, virtual machines, brain hurt :-).

On Thu, 29 Dec 2011 13:02:08 -0500
Tom Horsley wrote:

> Ah, but it is a bridge, and what bridge is more famous and bifrost? :-).

famous than (don't know how that become famous and on the way out
my fingers :-).
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-29-2011, 05:25 PM
Joe Zeff
 
Default bridges, NAT, virtual machines, brain hurt :-).

On 12/29/2011 10:13 AM, Tom Horsley wrote:

On Thu, 29 Dec 2011 13:02:08 -0500
Tom Horsley wrote:


Ah, but it is a bridge, and what bridge is more famous and bifrost? :-).


famous than (don't know how that become famous and on the way out
my fingers :-).


Mostly in Norse mythology, alas. Americans would probably understand
better if you named it TroubledWaters.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-29-2011, 05:37 PM
Tom Horsley
 
Default bridges, NAT, virtual machines, brain hurt :-).

On Thu, 29 Dec 2011 10:25:23 -0800
Joe Zeff wrote:

> Americans would probably understand
> better if you named it TroubledWaters.

Nah! Americans real Marvel comics and watch
Marvel comic movie adaptations :-).
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 01:04 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org