[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] VMWare and Firewall

Subject: [ale] VMWare and Firewall
From: Robert.L.Harris at rdlg.net (Robert L. Harris)
Date: Mon, 4 Jun 2007 11:28:56 -0400


  I have a system running some test software.  We are trying to firewall it
so that it can't connect to any of our internal hosts.  iptables -L -n -v
gives this:

{0}:/etc/network>iptables -L -n -v
Chain INPUT (policy ACCEPT 39 packets, 4165 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 40 packets, 5633 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       172.22.13.0/24       172.22.13.255       reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       172.22.13.0/24       172.22.13.255       reject-with icmp-port-unreachable 
    0     0 REJECT     tcp  --  *      *       172.22.13.0/24       172.20.0.0/14       reject-with icmp-port-unreachable 
    0     0 REJECT     udp  --  *      *       172.22.13.0/24       172.20.0.0/14       reject-with icmp-port-unreachable 

the iptables rules are this:

{0}:/etc/network>cat iptables 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p tcp -s 172.22.13.0/24 -d 172.22.13.255 -j REJECT
-A OUTPUT -p udp -s 172.22.13.0/24 -d 172.22.13.255 -j REJECT
-A OUTPUT -p tcp -s 172.22.13.0/24 -d 172.20.0.0/14 -j REJECT
-A OUTPUT -p udp -s 172.22.13.0/24 -d 172.20.0.0/14 -j REJECT
COMMIT


but if I go one host away I can see netbios traffic still going to my 
to the 172.22.13.255 address.  The 172.22.13.0/24 is reserved for VM's
running on the host itself and I want to block all traffic to 172.20/16
as the final goal.

Thoughts?
  Robert




:wq!
---------------------------------------------------------------------------
Robert L. Harris                     | GPG Key ID: E344DA3B
                                         @ x-hkp://pgp.mit.edu
DISCLAIMER:
      These are MY OPINIONS             With Dreams To Be A King,
       ALONE.  I speak for              First One Should Be A Man
       no-one else.                       - Manowar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature

Follow-Ups:
- [ale] VMWare and Firewall
  - From: charriglists at bellsouth.net (Calvin Harrigan)

Prev by Date: [ale] Clock problems with two SuSE setups
Next by Date: [ale] Good bang-for-buck mobo/cpu?
Previous by thread: [ale] Clock problems with two SuSE setups
Next by thread: [ale] VMWare and Firewall
Index(es):
- Date
- Thread