Originally Posted by
Doug S
In the end, I suspect you will want to achieve your objective via the Ubuntu server IP address rather than MAC addresses. I.E. drop packets to or from the Ubuntu server IP address and allow packets to or from the bridged IP address for "WAN".
If I can my objective is to block internet access for Ubuntu server on interface enp1s0 no matter what methods used (MAC, IP, etc)
Originally Posted by
SeijiSensei
Can you even see the VM from the Internet? It has no public addresses. Are you forwarding traffic from outside the Internet back to the VM on specific ports?
Yes I see VM from the internet. It has public address 46.xxx.xxx.xxx. I do not use forwarding.
Originally Posted by
SeijiSensei
Install the program nmap on a machine outside your home. Perhaps you have a laptop you can take to some external location. Use nmap to scan the Internet-facing address of your router. What does it see?
My router/firewall is IPFire running on Ubuntu server as VM. As I expected I see opened (by myself) port 222:
Code:
Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-08 11:55
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:55
Completed NSE at 11:55, 0.00s elapsed
Initiating NSE at 11:55
Completed NSE at 11:55, 0.00s elapsed
Initiating Ping Scan at 11:55
Scanning 46.xxx.xxx.xxx [4 ports]
Completed Ping Scan at 11:56, 3.92s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:56
Completed Parallel DNS resolution of 1 host. at 11:56, 6.08s elapsed
Initiating SYN Stealth Scan at 11:56
Scanning host-46-xxx-xxx-xxx.aaabbbccc.net (46.xxx.xxx.xxx) [1000 ports]
SYN Stealth Scan Timing: About 13.50% done; ETC: 12:00 (0:03:19 remaining)
Discovered open port 222/tcp on 46.xxx.xxx.xxx
SYN Stealth Scan Timing: About 28.55% done; ETC: 11:59 (0:02:33 remaining)
Completed SYN Stealth Scan at 11:57, 72.98s elapsed (1000 total ports)
Initiating Service scan at 11:57
Scanning 1 service on host-46-xxx-xxx-xxx.aaabbbccc.net (46.xxx.xxx.xxx)
Completed Service scan at 11:57, 0.19s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against host-46-xxx-xxx-xxx.aaabbbccc.net (46.xxx.xxx.xxx)
Retrying OS detection (try #2) against host-46-xxx-xxx-xxx.aaabbbccc.net (46.xxx.xxx.xxx)
Initiating Traceroute at 11:57
Completed Traceroute at 11:57, 3.04s elapsed
Initiating Parallel DNS resolution of 9 hosts. at 11:57
Completed Parallel DNS resolution of 9 hosts. at 11:57, 5.63s elapsed
NSE: Script scanning 46.xxx.xxx.xxx.
Initiating NSE at 11:57
Completed NSE at 11:57, 4.73s elapsed
Initiating NSE at 11:57
Completed NSE at 11:57, 0.00s elapsed
Nmap scan report for host-46-xxx-xxx-xxx.aaabbbccc.net (46.xxx.xxx.xxx)
Host is up (0.090s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
222/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 3d:47:de:xx:dc:8c:3b:3a:08:3f:63:xx:ad:bf:0a:94 (RSA)
| 256 5f:25:05:xx:c9:6e:4e:e1:e6:62:35:4f:9a:11:cf:fd (ECDSA)
|_ 256 2d:4e:21:51:31:7e:xx:11:c9:c4:28:xx:6c:74:64:50 (EdDSA)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Uptime guess: 0.003 days (since Fri Dec 08 11:53:06 2017)
Network Distance: 10 hops
TCP Sequence Prediction: Difficulty=248 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE (using port 222/tcp)
HOP RTT ADDRESS
1 0.00 ms 192.168.42.129
.
.
.
.
.
.
.
.
10 156.00 ms host-46-xxx-xxx-xxx.aaabbbccc.net (46.xxx.xxx.xxx)
NSE: Script Post-scanning.
Initiating NSE at 11:57
Completed NSE at 11:57, 0.02s elapsed
Initiating NSE at 11:57
Completed NSE at 11:57, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.24 seconds
Raw packets sent: 2086 (95.276KB) | Rcvd: 83 (4.824KB)
Originally Posted by
SeijiSensei
Do you understand that traffic for 192.168.0.0/16 is not routed over the Internet but reserved for private networks?
Originally Posted by
SeijiSensei
Most routers block all inbound traffic. Where do you see the risk?
My ISP do not provide the network protection so I have to protect my net myself. To do that I installed firewall/router IPFire. For me direct connect ubuntu to internet is dangerous. I would like that ubuntu be a LAN host (after firewall and NAT) and serve other hosts.
Bookmarks