[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] Firewalling emulated hosts?

From: Thomas Munn
Subject: [Qemu-devel] Firewalling emulated hosts?
Date: Wed, 14 Jul 2004 15:24:34 -0400

Dear Sirs:

I have used the following setup:

qemu-host=   NAT (on eth0:1)
tun0=      (gateway)

Iptables re-nats in and out for the qemu-host.  Everything works fine,
packets go in and out etc.

However, when I try to use iptables to stop just port 80 (as a test)
with: (on the host, not guest os!)

iptables -A OUTPUT -o tun0 -p tcp -s --destination-port 80

Port 80 still works.  

I tried changing to input, and this didn't work either.  I tried
changing to the natted address, this didn't work.  I tried changing to
eth0:1 (iptables barfed).

So my question is this:  How do I write iptables rules for guest oses on
my computer using the tap0 interface & iptables natting?  I even tried
doing this inside the qemu-ifup script.  For your viewing pleasure here
is my qemu-ifup script:


# Setup an interface for the vm to use
ifconfig eth0:1 up $qemu_ip netmask $qemu_netmask

# Clear iptables
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING

# Setup NAT
iptables -t nat -A PREROUTING -d $qemu_ip \
        -j DNAT --to-destination
        iptables -t nat -A POSTROUTING -s \
                -j SNAT --to-source $qemu_ip

## My iptables line is here
iptables -A OUTPUT -p tcp -s --destination-port 80 -j DROP
                # Bring up the TUN interface
                exec /sbin/ifconfig $1


Thomas  Munn CISSP
Security Analyst
Shands Hospital

reply via email to

[Prev in Thread] Current Thread [Next in Thread]