kvm briding and ubuntu

Fri Jul 30 12:42:38 UTC 2010

Here is the script I'm using on my server with br0 and eth0.  The three
services I have running are https, http, and ssh.  I also have it setup so
you can forward traffic through the KVM server.  So basically the route of
the virtual machines is the ip of the KVM server and that passes the traffic
on to the public network.  I am also in the same boat about having only have
ssh access to the server.  What I do is schedule cron to reset iptables
every 30 min.  So when I do screw up ssh access and lock myself out I know
that every 30 min I can get back in.  Just don't forget that it does run
every 30 min and could run when you are testing :) Once you have iptables
correct remove the cronjob to reset iptables.  Hope this helps some.  Let me
know what you are trying to accomplish with your iptables.  eth0 is on the
public side and br0 is on the private side.  I also have my DNS servers on
both the private and public network.  Not having DNS on the private side is
a nightmare.

#!/bin/bash

#First we flush our current rules
iptables -F
iptables -t nat -F

#Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#Copy and paste these examples ...
export LAN=br0
export WAN=eth0

#Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

#(Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport http -i ${WAN} -j ACCEPT
iptables -A INPUT -p TCP --dport https -i ${WAN} -j ACCEPT
#Drop TCP / UDP packets to privileged ports

#iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
#iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
# for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

On Fri, Jul 30, 2010 at 4:28 AM, Henning Sprang <henning.sprang at gmail.com>wrote:

> Hi Jimmy,
> Can you be more specific and tell exactly what rules you add how to which
> interface, and what exactly happens then?
> Which packets stop going which way that they previously took and how do you
> meadure it?
>
> Henning
>
> Am 30.07.2010 09:24 schrieb "Jimmy Stewpot" <mailers at oranged.to>:
>
>
> Hello,
>
> I have a working environment where I have the following configuration. eth0
> is in the bridge br0. I then have a KVM virtual machine running perfectly. I
> now want to configure the host server (With br0) to have a set of iptables
> rules. Unfortunately every time I add any rules to the interface br0/eth0 i
> loose all connectivity despite having a permit/any/any rule for port 22. Can
> anyone provide any insight into why that would be the case?
>
> Regards,
>
> Jimmy.
>
> --
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>
>
> --
> ubuntu-server mailing list
> ubuntu-server at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
> More info: https://wiki.ubuntu.com/ServerTeam
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20100730/f9fd499d/attachment.html>