Be careful in a host having "ip_forwarding" (routing) kernel option enabled. Consider aways set iptables "filter" (firewall) rules. Setting up just iptables "masquarade" (nat) may allow access from outside.
$ sudo su -
# vi /etc/iptables_FW_rules
*filter
#
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
#
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accepts all established routed connections
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# VIRTUALBOX VIRTUAL NETWORKS PROTECTION
# vboxnetX is created by type "host-only network" on VBox Manager
-A FORWARD -i eth+ -o vboxnet+ -j REJECT
-A FORWARD -i wlan+ -o vboxnet+ -j REJECT
# allow VMs access outside
-A FORWARD -i vboxnet+ -o eth+ -j ACCEPT
-A FORWARD -i vboxnet+ -o wlan+ -j ACCEPT
#
# Allows all outbound traffic
# You may want to modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
#
# Allow ping request to host
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#
# log host denied calls (access via 'dmesg' command)
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
#
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
# vi /etc/init.d/iptables-on-boot.sh
#!/bin/sh
/sbin/iptables-restore < /etc/iptables_FW_rules
# chmod ug+x /etc/init.d/iptables-on-boot.sh
# runlevel
# ln -s /etc/init.d/iptables-on-boot.sh /etc/rc2.d/S30iptables-on-boot
---- useful commands ---
Flush (clear) rules to test:
# iptables -F (flush default type filter/FW rules)
# iptables -t nat -F (flush masquerade/NAT rules)
For a complete report on iptables rules:
# iptables -L -v -n
# iptables -t nat -L -v -n
No comments:
Post a Comment
deixe sua opinião