| View previous topic :: View next topic |
| Author |
Message |
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
 Posted: Fri Dec 08, 2023 1:55 am Post subject: iptables rules for VM host to access internet? |
 |
|
If I try to do an 'emerge-webrsync' from a guest VM, I can't get out, but when I shut down iptables on my host, the guest VM is able to update. I'm guessing the fetching of packages uses another port as it then hangs again.
Anyone know what rules I need to add to iptables on my host to allow the VM's access to the internet? |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Fri Dec 08, 2023 3:34 pm Post subject: |
|
|
| webrsync implies to me that this would be done over http or https. However, the definitive test would be to enable logging of denied traffic, run the attempt, and check what the logs show the guest actually needed. What are your current rules? |
|
| Back to top |
|
|
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
| Posted: Fri Dec 08, 2023 8:16 pm Post subject: |
|
|
My current rules, after enabling logs are ...
| Code: | $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warn
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere |
Although, I'm only guessing the rule is correct as it's INPUT. I tailed /var/log/kern.log and reran my emerge -uDN @world from the VM and get a bunch of reoccuring output like this in the logs ...
| Code: |
Dec 8 14:09:52 Romans kernel: IN=br0 OUT= PHYSIN=eno1 MAC=0e:de:ce:26:77:06:60:
38:e0:c0:b5:90:08:00 SRC=192.0.73.2 DST=192.168.120.10 LEN=1366 TOS=0x00 PREC=0x
00 TTL=63 ID=41435 DF PROTO=TCP SPT=443 DPT=39316 WINDOW=251 RES=0x00 ACK URGP=0
Dec 8 14:09:52 Romans kernel: IN=br0 OUT= PHYSIN=eno1 MAC=0e:de:ce:26:77:06:60:
38:e0:c0:b5:90:08:00 SRC=192.0.73.2 DST=192.168.120.10 LEN=1366 TOS=0x00 PREC=0x
00 TTL=63 ID=41436 DF PROTO=TCP SPT=443 DPT=39316 WINDOW=251 RES=0x00 ACK URGP=0
Dec 8 14:09:52 Romans kernel: IN=br0 OUT= PHYSIN=eno1 MAC=0e:de:ce:26:77:06:60:
38:e0:c0:b5:90:08:00 SRC=192.0.73.2 DST=192.168.120.10 LEN=1221 TOS=0x00 PREC=0x
00 TTL=63 ID=41437 DF PROTO=TCP SPT=443 DPT=39316 WINDOW=251 RES=0x00 ACK URGP=0
Dec 8 14:09:52 Romans kernel: IN=br0 OUT= PHYSIN=eno1 MAC=0e:de:ce:26:77:06:60:
38:e0:c0:b5:90:08:00 SRC=192.0.73.2 DST=192.168.120.10 LEN=1366 TOS=0x00 PREC=0x
00 TTL=63 ID=41438 DF PROTO=TCP SPT=443 DPT=39316 WINDOW=251 RES=0x00 ACK URGP=0
Dec 8 14:09:52 Romans kernel: IN=br0 OUT= PHYSIN=eno1 MAC=0e:de:ce:26:77:06:60:
38:e0:c0:b5:90:08:00 SRC=192.0.73.2 DST=192.168.120.10 LEN=1366 TOS=0x00 PREC=0x
00 TTL=63 ID=41439 DF PROTO=TCP SPT=443 DPT=39316 WINDOW=251 RES=0x00 ACK PSH UR
GP=0 |
I see 443, does this mean HTTPS is being blocked? Haven't found a good ref to read these correctly. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Fri Dec 08, 2023 8:40 pm Post subject: |
|
|
Please use iptables-save -c for showing rules, because iptables -L omits many details that can be relevant.
Forwarding traffic from the VM to the Internet would go through FORWARD, not INPUT, so the default policy of DROP on FORWARD is probably why this fails. It's possible one of those ACCEPT rules could apply, but since your output does not show interface names (the way iptables-save would), we cannot tell.
Yes, those logs indicate something is trying to connect from eno1 to your machine over HTTPS. eno1 is usually one of the udev Predictable Network Interface Names for your Ethernet card, so that is probably a machine on your LAN, not the VM. Since you have no rules to LOG traffic traversing the FORWARD chain, we cannot see what the VM is trying. |
|
| Back to top |
|
|
Wizumwalt
Guru
Joined: 20 Aug 2006
Posts: 547
|
| Posted: Fri Dec 08, 2023 9:01 pm Post subject: |
|
|
Here's the new listing ...
| Code: | $ sudo iptables-save -c
# Generated by iptables-save v1.8.9 on Fri Dec 8 14:58:49 2023
*filter
:INPUT ACCEPT [1399:377863]
:FORWARD DROP [6:372]
:OUTPUT ACCEPT [1494:300614]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[308:19616] -A FORWARD -j DOCKER-USER
[308:19616] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A FORWARD -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i tap0 -j ACCEPT
[6:372] -A FORWARD -j LOG
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[308:19616] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[368657:342851908] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Dec 8 14:58:49 2023
# Generated by iptables-save v1.8.9 on Fri Dec 8 14:58:49 2023
*nat
:PREROUTING ACCEPT [111:6788]
:INPUT ACCEPT [21:1280]
:OUTPUT ACCEPT [4040:1143187]
:POSTROUTING ACCEPT [4040:1143187]
:DOCKER - [0:0]
[216:42914] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[71:19544] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Dec 8 14:58:49 2023
# Generated by iptables-save v1.8.9 on Fri Dec 8 14:58:49 2023
*mangle
:PREROUTING ACCEPT [583950:658286465]
:INPUT ACCEPT [583860:658280957]
:FORWARD ACCEPT [90:5508]
:OUTPUT ACCEPT [323718:34849022]
:POSTROUTING ACCEPT [323708:34848115]
COMMIT
# Completed on Fri Dec 8 14:58:49 2023
|
And here's the attempt ...
| Code: | Dec 8 14:59:15 Romans kernel: IN=br0 OUT=br0 PHYSIN=tap0 MAC=0e:de:ce:26:77:06:52:54:00:12:34:60:08:00 SRC=192.168.120.20 DST=8.8.4.4 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=75 DF PROTO=UDP SPT=45128 DPT=53 LEN=48
Dec 8 14:59:15 Romans kernel: IN=br0 OUT=br0 PHYSIN=tap0 MAC=0e:de:ce:26:77:06:52:54:00:12:34:60:08:00 SRC=192.168.120.20 DST=8.8.4.4 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=76 DF PROTO=UDP SPT=45128 DPT=53 LEN=48
Dec 8 14:59:18 Romans kernel: IN=br0 OUT=br0 PHYSIN=tap0 MAC=0e:de:ce:26:77:06:52:54:00:12:34:60:08:00 SRC=192.168.120.20 DST=8.8.8.8 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=18078 DF PROTO=UDP SPT=41741 DPT=53 LEN=48
Dec 8 14:59:18 Romans kernel: IN=br0 OUT=br0 PHYSIN=tap0 MAC=0e:de:ce:26:77:06:52:54:00:12:34:60:08:00 SRC=192.168.120.20 DST=8.8.8.8 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=18079 DF PROTO=UDP SPT=41741 DPT=53 LEN=48
|
|
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Fri Dec 08, 2023 9:25 pm Post subject: |
|
|
| Your guest is attempting to use DNS, but you have no rules to permit it. I also see nothing to permit https for the guest. |
|
| Back to top |
|
|
Scorf
n00b
Joined: 09 Dec 2023
Posts: 2
Location: Netherlands
|
| Posted: Sat Dec 09, 2023 3:13 pm Post subject: |
|
|
| your VM has 192.168.120.10 while you are masquerading 172.17.0.0/16. |
|
| Back to top |
|
|
|
Networking & Security
