2

I have three virtualboxs.

1) Virtual machine VM-A that works as a router with two interfaces:

eth0 - 10.160.10.254

eth1 - 172.10.0.254

2) Virtual machine VM-B that works as an internal network with one interface:

eth0 - 10.160.10.1 (and with gw to 10.160.10.254)

3) Virtual machine VM-C that works as an external network with one interface:

eth0 172.10.0.1 (and with gw to 172.10.0.254)

I want to allow ssh connections to the router(VM-1) when originated for a server in the internal network with iptables.

So in the router vbox Im using this two commands below:

iptables -A INPUT -s 10.160.10.4 -d 10.160.10.254 -p udp --dport 22 -j ACCEPT

iptables -A INPUT -s 10.160.10.4 -d 10.160.10.254 -p tcp--dport 22 -j ACCEPT

To test if this is working Im trying to use netcat.

In the internal network machine Im using nc -lu 22 command and in the external network machine Im using nc -u 193.160.10.4 22 command, but nothing is appearing.

Do you know what needs to appear and how to use netcat corretcly to test the iptables rules?

David
  • 313
  • 3
  • 15
codin
  • 121
  • 1
  • 5

2 Answers2

1

SSH uses TCP, not UDP. You use nc -u so you send UDP packets. Just try 

nc -vz <ip> <port>

If you want to test your iptables rules that way, you should set the policy for the INPUT chain to DROP or REJECT. Take care that you allow tcp packets to port 22 from your source before. You can allow it from the IP of the specific machine, the whole subnet or the interface.

Example source ip: 

iptables -A INPUT -s <source ip> -p tcp --dport 22 -j ACCEPT

Example source subnet (Accepts everything from 192.168.xxx.xxx):

iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 22 -j ACCEPT

Example source interface (accepts every packet comming through interface eth0):

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Set policy for INPUT to DROP (the default action if none of the rules applies): 

iptables -P INPUT DROP

Best regards

EDIT: And of course what David said, but im presuming some typos in the question, otherwise there wont be any working connection.

user350306
  • 131
  • 3
  • Thanks for your answer. That command nc -vz 192.160.10.4 22 its in external machine right? It is appearing nc: connect to 192.160.10.4 port 22 failed: No route to host – codin Apr 24 '16 at 12:35
  • Your whole setup seems messed up. Take a look at Davids post. Your setup should have two subnets, each connected to the router and with one machne in it. If you need further help on the setup, I'll edit my post. – user350306 Apr 24 '16 at 12:38
  • I fix the configuration typos, but the issue continue. The configurations as I have in the question now seems ok so I dont understand! – codin Apr 24 '16 at 12:42
  • @codin First of all, you should definitely use IP ranges that are reserved for private nets. See Davids post. Also, setting ip addresses on interfaces in VMs isn't enough, you have to configure the virtual network. See [Virtualbox man](https://www.virtualbox.org/manual/ch06.html). If you have trouble with that pls open another question. – user350306 Apr 24 '16 at 12:53
  • Thanks. I change now for private nets. And I have communicaitons I can ping the router from both networks, and in each network I can ping the router. So the communication must be working right? – codin Apr 24 '16 at 13:51
0

There are 2 parts to your problem:

Part 1 - Networking Configuration

The first thing is that you are using 3 subnets. I am presuming you are using them all as /24's: 10.160.10.0/24, 172.10.0.0/24, and 192.168.10.0/24

VM-A is configured for 10.160.10.0/24 and 172.10.0.0/24.

VM-B is configured for 192.168.10.0/24

VM-C is configured for 172.10.0.0/24.

With this IP address configuration, there is no way VM-B can see VM-A or VM-B. You either need to add the 192.168.10.0/24 subnet to VM-A (your router) or change the subnet on VM-B to your 10.160.10.0/24 or 172.10.0.0/24 subnets. That is to say that you cannot have your gateway set to an entirely different subnet from what you have set the IP address to on a host. The hosts IP address and the gateway IP address must be within in the same subnet.

You should also know that 172.10.0.0/24 is not a private subnet. The private 172 range is 172.16.0.0/12 which is IP addresses: 172.16.0.0 -- 172.31.255.255 [1]

  1. https://www.arin.net/knowledge/address_filters.html

Part 2 - Firewall configuration

iptables -A INPUT -s 10.160.10.4 -d 10.160.10.254 -p udp --dport 22 -j ACCEPT

Source IP should be 10.160.10.1 Where did the 10.160.10.4 host come from? Otherwise @Knorke has a good handle on the iptables config.

David
  • 313
  • 3
  • 15