[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] Firewalling emulated hosts?
|
From: |
Thomas Munn |
|
Subject: |
[Qemu-devel] Firewalling emulated hosts? |
|
Date: |
Wed, 14 Jul 2004 15:24:34 -0400 |
Dear Sirs:
I have used the following setup:
qemu-host=192.168.1.1 NAT 178.155.1.1 (on eth0:1)
tun0=192.168.1.254 (gateway)
Iptables re-nats in and out for the qemu-host. Everything works fine,
packets go in and out etc.
However, when I try to use iptables to stop just port 80 (as a test)
with: (on the host, not guest os!)
iptables -A OUTPUT -o tun0 -p tcp -s 192.168.1.1 --destination-port 80
-j DROP
Port 80 still works.
I tried changing to input, and this didn't work either. I tried
changing to the natted address, this didn't work. I tried changing to
eth0:1 (iptables barfed).
So my question is this: How do I write iptables rules for guest oses on
my computer using the tap0 interface & iptables natting? I even tried
doing this inside the qemu-ifup script. For your viewing pleasure here
is my qemu-ifup script:
qemu_ip="178.155.1.1"
qemu_netmask="255.255.255.0"
# Setup an interface for the vm to use
ifconfig eth0:1 up $qemu_ip netmask $qemu_netmask
# Clear iptables
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
# Setup NAT
iptables -t nat -A PREROUTING -d $qemu_ip \
-j DNAT --to-destination 192.168.1.1
iptables -t nat -A POSTROUTING -s 192.168.1.1 \
-j SNAT --to-source $qemu_ip
## My iptables line is here
iptables -A OUTPUT -p tcp -s 192.168.1.1 --destination-port 80 -j DROP
# Bring up the TUN interface
exec /sbin/ifconfig $1 192.168.1.254
Thomas
---------------------------
Thomas Munn CISSP
Security Analyst
Shands Hospital
address@hidden
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] Firewalling emulated hosts?,
Thomas Munn <=