flabdablet
August 25th, 2009, 05:14 AM
Hello all.
I'm setting up a new Jaunty server that I intend to use as a host for assorted VMs. It has four ethernet interfaces, and I need to set up some fairly specific iptables rules to manage traffic flows between those and eventually between those and assorted virtual interfaces.
Because my rules are probably *not* going to be uncomplicated, I'd rather use iptables directly than ufw. Also, I'd rather all the iptables rules were in place before forwarding gets enabled, and I'd rather there was *one* place in my system where *all* iptables rule definitions happened. So:
1. Where is the right place to define iptables rules in Jaunty Server? Do I need to write a script and hook it into /etc/rcS.d, or is there already one defined whose rule set I can just edit?
2. How can I find out which of the various initscripts is the one currently setting /proc/sys/net/ipv4/ip_forward to 1? *Something* is doing that, even though the net.ipv4.ip_forward=1 line in /etc/sysctl.conf is still commented out.
3. How can I find out which of the various initscripts is the one currently defining the existing iptables rules - these?
vmadmin@vmhost:/etc$ sudo iptables-save
# Generated by iptables-save v1.4.1.1 on Tue Aug 25 14:10:15 2009
*nat
:PREROUTING ACCEPT [3710:444274]
:POSTROUTING ACCEPT [490:35409]
:OUTPUT ACCEPT [490:35409]
-A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Aug 25 14:10:15 2009
# Generated by iptables-save v1.4.1.1 on Tue Aug 25 14:10:15 2009
*filter
:INPUT ACCEPT [19264:11283457]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11519:1218374]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Aug 25 14:10:15 2009
vmadmin@vmhost:/etc$
I don't like the default ACCEPT policy that whatever it is is using, and I'd rather know what's doing this than try to fight an unseen enemy :)
I'm setting up a new Jaunty server that I intend to use as a host for assorted VMs. It has four ethernet interfaces, and I need to set up some fairly specific iptables rules to manage traffic flows between those and eventually between those and assorted virtual interfaces.
Because my rules are probably *not* going to be uncomplicated, I'd rather use iptables directly than ufw. Also, I'd rather all the iptables rules were in place before forwarding gets enabled, and I'd rather there was *one* place in my system where *all* iptables rule definitions happened. So:
1. Where is the right place to define iptables rules in Jaunty Server? Do I need to write a script and hook it into /etc/rcS.d, or is there already one defined whose rule set I can just edit?
2. How can I find out which of the various initscripts is the one currently setting /proc/sys/net/ipv4/ip_forward to 1? *Something* is doing that, even though the net.ipv4.ip_forward=1 line in /etc/sysctl.conf is still commented out.
3. How can I find out which of the various initscripts is the one currently defining the existing iptables rules - these?
vmadmin@vmhost:/etc$ sudo iptables-save
# Generated by iptables-save v1.4.1.1 on Tue Aug 25 14:10:15 2009
*nat
:PREROUTING ACCEPT [3710:444274]
:POSTROUTING ACCEPT [490:35409]
:OUTPUT ACCEPT [490:35409]
-A POSTROUTING -s 192.168.122.0/24 -d ! 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Tue Aug 25 14:10:15 2009
# Generated by iptables-save v1.4.1.1 on Tue Aug 25 14:10:15 2009
*filter
:INPUT ACCEPT [19264:11283457]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11519:1218374]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Aug 25 14:10:15 2009
vmadmin@vmhost:/etc$
I don't like the default ACCEPT policy that whatever it is is using, and I'd rather know what's doing this than try to fight an unseen enemy :)