Solved: Host only network problems when using IPTABLES fir...

VMbuseck · ‎06-20-2007

I've created a firewall using a script posted under http://ubuntuforums.org/showthread.php?t=159661

#!/bin/bash

\# No spoofing

if \[ -e /proc/sys/net/ipv4/conf/all/rp_filter ]

then

for filtre in /proc/sys/net/ipv4/conf/*/rp_filter

do

echo 1 > $filtre

done

fi

\# No icmp

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#load some modules you may need

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_nat_irc

modprobe iptable_filter

modprobe iptable_nat

\# Remove all rules and chains

iptables -F

iptables -X

\# first set the default behaviour => accept connections

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

\# Create 2 chains, it allows to write a clean script

iptables -N FIREWALL

iptables -N TRUSTED

\# Allow ESTABLISHED and RELATED incoming connection

iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FIREWALL -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

\# Allow loopback traffic

iptables -A FIREWALL -i lo -j ACCEPT

\# Send all package to the TRUSTED chain

iptables -A FIREWALL -j TRUSTED

\# DROP all other packets

iptables -A FIREWALL -j DROP

\# Send all INPUT packets to the FIREWALL chain

iptables -A INPUT -j FIREWALL

\# DROP all forward packets, we don't share internet connection in this example

iptables -A FORWARD -j DROP

\# Allow NETBIOS for samba (only eth0)

iptables -A TRUSTED -i eth0 -p udp -m udp --dport 137 -j ACCEPT

iptables -A TRUSTED -i eth0 -p udp -m udp --dport 138 -j ACCEPT

iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 139 -j ACCEPT

\# Allow https

iptables -A TRUSTED -i eth0 -p udp -m udp --sport 443 -j ACCEPT

iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT

iptables -A TRUSTED -i eth1 -p udp -m udp --sport 443 -j ACCEPT

iptables -A TRUSTED -i eth1 -p tcp -m tcp --sport 443 -j ACCEPT

\# End message

echo " \[End iptables rules setting]"

All works fine between host and windows guests, but I can't access other machines via the NETBIOS protocols.

What I've to add (virtual device e.g.) to the script about to make it work ? If the firewall is disabled everything is ok.

♲ 2 Intel Atom Home-Server with Debian Squeeze (Kernel 2.6) ♲ DELL D830 with Debian Squeeze ♲ Asus EEE with Ubuntu Lucid ♲ All system - except the EEE - with VMware server 1.0.10 ♲

oreeh · ‎06-25-2007

It works. Your VMs only can't connect to systems outside of the NAT network.

One of the reasons to use NAT is a host with changing networks

(a laptop with WLAN and "normal" network access is a good example for this).

View solution in original post

oreeh · ‎06-22-2007

open ports 135 and 445 too

VMbuseck · ‎06-23-2007

It's NO connection via eth0 or eth1 established. The only network which is available is the 'host only'.

I think it must be something like

\# Allow NETBIOS for samba (only vmnet)

iptables -A TRUSTED -i </dev/vmnet?> -p udp -m udp --dport 137 -j ACCEPT

iptables -A TRUSTED -i </dev/vmnet?> -p udp -m udp --dport 138 -j ACCEPT

iptables -A TRUSTED -i </dev/vmnet?> -p tcp -m tcp --dport 139 -j ACCEPT

but </dev/vmnet?> is no physical network device.

If a cable is plugged in, the guest OS is using a bridge network and everything works fine (with that firewall script).

♲ 2 Intel Atom Home-Server with Debian Squeeze (Kernel 2.6) ♲ DELL D830 with Debian Squeeze ♲ Asus EEE with Ubuntu Lucid ♲ All system - except the EEE - with VMware server 1.0.10 ♲

Ken_Cline · ‎06-23-2007

The host-only network is presented to the guest OS as an "eth#" device. The guest has no idea that it's talking on a host-only net...it's just another interface that it's talking Ethernet on.

Ken Cline VMware vExpert 2009 VMware Communities User Moderator Blogging at: http://KensVirtualReality.wordpress.com/

VMbuseck · ‎06-23-2007

The host-only network is presented to the guest OS as an "eth#" device.

This is right. For that reason I configured 2 ethernet devices in the virtual windows machines: A ethernet device (bridged) and one ethernet device (host only).

If an ethernet connection is established, I use a hardware profile with the bridged network an the firewall.

If no[/b] ethernet connection is established, I use a hardware profile with the host only network to access the host, but the firewall must be deactivated.

♲ 2 Intel Atom Home-Server with Debian Squeeze (Kernel 2.6) ♲ DELL D830 with Debian Squeeze ♲ Asus EEE with Ubuntu Lucid ♲ All system - except the EEE - with VMware server 1.0.10 ♲

oreeh · ‎06-25-2007

Why don't you use NAT instead?

No need for dealing with different profiles and multiple NICs.

VMbuseck · ‎06-25-2007

What happens with NAT in the case that NO[/b] network resource is available on the host system (no cable plugged e.g.) ? Does the 'internal network' between various virtual machines work or not ?

♲ 2 Intel Atom Home-Server with Debian Squeeze (Kernel 2.6) ♲ DELL D830 with Debian Squeeze ♲ Asus EEE with Ubuntu Lucid ♲ All system - except the EEE - with VMware server 1.0.10 ♲

oreeh · ‎06-25-2007

It works. Your VMs only can't connect to systems outside of the NAT network.

One of the reasons to use NAT is a host with changing networks

(a laptop with WLAN and "normal" network access is a good example for this).

VMbuseck · ‎06-26-2007

Until now I had only experiences with bridged (servers with static IP addresses) networks. For my kind of virtualisation NAT is the best solution.

Thanks a lot for that clue.

♲ 2 Intel Atom Home-Server with Debian Squeeze (Kernel 2.6) ♲ DELL D830 with Debian Squeeze ♲ Asus EEE with Ubuntu Lucid ♲ All system - except the EEE - with VMware server 1.0.10 ♲

All

Host only network problems when using IPTABLES firewall