Iptables configure gateway virtual machine with 2 interfaces

Question

I have a virtual machine that works like a gateway from other virtual machines.

The configuration of the interfaces is the following

UBUNTU:

  eth0:
    ip: 10.0.2.2
    netmask 255.255.255.255
    gateway 10.0.2.2

  eth1:
    ip: 192.168.1.1
    bcast: 192.168.1.255
    netmask: 255.255.255.0

I would like to close all the ports and to surf over internet only with the gateway.

Without rules it works perfectly, but with the actual firewall configuration iptables blocks the connection.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state -j ACCEPT

iptables -A FORWARD -i eth1 -j ACCEPT 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# ..... other rules for the others connected vm

Alex, I tried to add a rules like this: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT but with no success — Danilo, Feb 20 '14 at 12:42

score 0 · Answer 1 · answered Feb 20 '14 at 12:43

0

There is the rule that allowes ESTABLISHED,RELATED connections to pass thru?

You see in this example:

i Quote:

Allowing Established Sessions

We can allow established sessions to receive traffic:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

The above rule has no spaces either side of the comma in ESTABLISHED,RELATED

If the line above doesn't work, you may be on a castrated VPS whose provider has not made available the extension, in which case an inferior version can be used as last resort:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Source: Ubuntu Wiki

EDIT:

I see that you forget the DNS to allow in your ruleset?

answered Feb 20 '14 at 12:43

Andrius

28
2

I tried both che command but still doesn't work. I don't think it could be the DNS ruleset because also using an external ip instead of the domain name, the result is the same. – Danilo Feb 20 '14 at 14:18
1

when you do cat /var/log/messages | grep iptables ? And way is the gateway of eth0 the same as his IP? – Andrius Feb 20 '14 at 14:38
It return an empty string. If I'm trying to launch a nestat -tcp when a browser tries to surfing a website (eg google) I'm receiving the following result: tcp 0 1 10.0.2.2 :50356 74.125.232.159:http SYN_SENT – Danilo Feb 20 '14 at 15:01
Maby a very dump question from my side but: Can you ping a external server from the gateway? And is the gateway on the outgoing ( eth0?) set properly? because the gateway and netmask are on the same IP. – Andrius Feb 20 '14 at 15:14

Iptables configure gateway virtual machine with 2 interfaces

1 Answers1