Here is the script I'm using on my server with br0 and eth0.* The three services I have running are https, http, and ssh.* I also have it setup so you can forward traffic through the KVM server.* So basically the route of the virtual machines is the ip of the KVM server and that passes the traffic on to the public network.* I am also in the same boat about having only have ssh access to the server.* What I do is schedule cron to reset iptables every 30 min.* So when I do screw up ssh access and lock myself out I know that every 30 min I can get back in.* Just don't forget that it does run every 30 min and could run when you are testing
Once you have iptables correct remove the cronjob to reset iptables.* Hope this helps some.* Let me know what you are trying to accomplish with your iptables.* eth0 is on the public side and br0 is on the private side.* I also have my DNS servers on both the private and public network.* Not having DNS on the private side is a nightmare.*
#!/bin/bash
#First we flush our current rules
iptables -F
iptables -t nat -F
#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Copy and paste these examples ...
export LAN=br0
export WAN=eth0
#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
#(Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport http -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport https -i ${WAN} -j ACCEPT
#Drop TCP / UDP packets to privileged ports
#iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
On Fri, Jul 30, 2010 at 4:28 AM, Henning Sprang <henning.sprang@gmail.com> wrote:
Hi Jimmy,
Can you be more specific and tell exactly what rules you add how to which interface, and what exactly happens then?
Which packets stop going which way that they previously took and how do you meadure it?
Henning
Am 30.07.2010 09:24 schrieb "Jimmy Stewpot" <mailers@oranged.to>:
Hello,
I have a working environment where I have the following configuration. eth0 is in the bridge br0. I then have a KVM virtual machine running perfectly. I now want to configure the host server (With br0) to have a set of iptables rules. Unfortunately every time I add any rules to the interface br0/eth0 i loose all connectivity despite having a permit/any/any rule for port 22. Can anyone provide any insight into why that would be the case?
Regards,
Jimmy.
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
kvm briding and ubuntu
