iptables – libvirt with qemu/kvm guest, guest can ssh to host and vice versa, but failed to samba or ftp to host

I am running libvirt/qemu-kvm on Fedora32, guest OS is CentOS7.

I use ‘nat’ mode virtual networking.

root@fedora ~)# virsh net-dumpxml default
<network connections='1'>
  <name>default</name>
  <uuid>36ca4070-160a-47bf-b35e-aa7bee028ec1</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:e1:1e:c3'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

On host I can ssh to guest by its ip (192.168.122.230).

On guest, I can access internet, also can ssh to my host,
but failed to access samba and ftp on my host.

For example, I type ‘smbclient -L ‘192.168.122.1’‘ on guest,
host ‘tcpdump -i vnet0‘ shows:

10:03:00.267931 IP 192.168.122.230.57754 > 192.168.122.1.microsoft-ds: Flags (S), seq 1417555984, win 29200, options (mss 1460,sackOK,TS val 4294755489 ecr 0,nop,wscale 7), length 0
10:03:00.267977 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port microsoft-ds unreachable, length 68
10:03:00.273271 IP 192.168.122.230.39152 > 192.168.122.1.netbios-ssn: Flags (S), seq 2454440184, win 29200, options (mss 1460,sackOK,TS val 4294755494 ecr 0,nop,wscale 7), length 0
10:03:00.273290 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port netbios-ssn unreachable, length 68

And ‘smbclient’ eventually reports ‘* do_connect: Connection to 192.168.122.1 failed (Error NT_STATUS_CONNECTION_REFUSED)*’.

In case of ‘ftp’, it is similar to ‘samba’.

0:06:11.030486 IP 192.168.122.230.44748 > 192.168.122.1.ftp: Flags (S), seq 4205484033, win 29200, options (mss 1460,sackOK,TS val 4294946254 ecr 0,nop,wscale 7), length 0
10:06:11.030539 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port ftp unreachable, length 68

I am sure on guest, firewall is turned off, and I can samba to host from other machine in lan.

I checked host ‘iptables -L -nv ‘ and ‘iptables -L -nv -t nat’, no packet got ‘REJECT’ed or ‘DROP’ed.

They look like this:

# iptables -L -nv 
Chain INPUT (policy ACCEPT 56760 packets, 31M bytes)
 pkts bytes target     prot opt in     out     source               destination         
68394   45M LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19326   23M LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
19326   23M LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 9344 1092K LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 19706 packets, 2824K bytes)
 pkts bytes target     prot opt in     out     source               destination         
28243 3880K LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9982   22M ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9344 1092K ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_INP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  102  6959 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    9  3028 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    9  3004 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:68

and

# iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 6314 packets, 5976K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 4463 packets, 5827K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 546 packets, 73524 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 526 packets, 69524 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1910  218K LIBVIRT_PRT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LIBVIRT_PRT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1359 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255
   87  4628 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
  192 19180 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

Am I missing something? What could be the cause?
Thanks.

Prevent ddos with iptables get 502 [closed]

I add this rules for prevent ddos but some times nginx proxy get 502
enter image description here

c

iptables – KPN IPTV Routing via Ubuntu 18.04 – Or how to route VLANs

I have KPN FibreOptic internet, a Dutch ISP that also delivers TV over that optic cable. It is setup in such a way that VLAN6 delivers Internet and VLAN4 delivers IPTV. Internet is setup via PPPoE and IPTV via DHCP.

The IPTV is routed, so the STB should be on the same LAN as the rest of my network. This is my setup;

https://i.stack.imgur.com/06Sp3.png

There is Fibre box that has an UTP cable running to a physical NIC in the Ubuntu box. That box uses PPPoE to establish a ppp0 interface via eth0.6, vlan6. That gets my a public IP4 address and I can serve my whole LAN internet via NAT masquarading on the second physical NIC enp5s0. IGMP Snooping is enabled on the switches.

I also have a vlan4 interface, that works via DHCP, with these settings;

option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
interface "vlan4" {
  request subnet-mask, broadcast-address, routers, rfc3442-classless-static-routes;
  send vendor-class-identifier "IPTV_RG";
}

That gets me a route and address on vlan4 as well;

# ip route | grep vlan4
10.128.252.0/22 dev vlan4 proto kernel scope link src 10.128.254.46
213.75.112.0/21 via 10.128.252.1 dev vlan4

Now the set top box, needs to get an IP in the LAN, that works. And also in vlan4, that seems to work if I look at the snooping bit on the DSG-1100 units, the TV is plugged in port 8, and eth1 is the link to the other DSG-1100.

https://i.stack.imgur.com/qfy1D.png

I also have igmpproxy running on the Ubuntu box itself with this config;

quickleave

phyint vlan4 upstream  ratelimit 0  threshold 1
        altnet 192.168.40.0/24
        altnet 213.75.0.0/16
        altnet 217.166.0.0/16

My iptables look like this;

Filter

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Raw

# iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             base-address.mcast.net/4  TTL match TTL < 7

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Nat

# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             213.75.112.0/21
MASQUERADE  all  --  anywhere             anywhere

And with all that, I was expecting it to work. But, the internet connections works on all devices, yet the IPTV STB does not work. And I am kinda out of luck in trying to figure out what went wrong.

In summary; i need to recieve VLAN4 and VLAN6 on the router and should then correctly route all IPTV traffice to vlan4 and internet to ppp0. Right now, it doesn’t. Where should I look for the fix?

Dropping UPnP requests from one source address using iptables and DD-WRT

I’m attempting to block one particular client on my LAN from creating a UPnP port in my DD-WRT router. (It’s a MacBook Pro which is old enough to have “Back to My Mac” on it, but seemingly no way to disable it, if you are curious. Also, I’m aware of the risks of UPnP, but need it for other applications.) This should be, in my opinion, a trivial exercise in iptables, but I’ve not succeeded yet. DD-WRT version is v3.0-r40559 std.

The following works in that it blocks everything from the client from making its way up the protocol stack:

iptables -A INPUT -s 192.168.1.94 -j DROP

But the moment I do something seemingly appropriate to the task, the client succeeds in mapping ports using UPnP. This, for example, does not work:

iptables -A INPUT -s 192.168.1.94 -m multiport --dports 1900,5351,5353 -j DROP

I’ve tried other combinations which include looking for the broadcast address as a destination, but that doesn’t work, either.

Anybody got any ideas?

Thanks!

ubuntu 20.04 – how to filter dns requests with iptables

I am trying to filter the dns requests from my local network. Only authorize requests to specific dns and deny the rest, but it has not worked for me. This is my rule (with dns google example):

dns="8.8.8.8 8.8.4.4"
for ip in $dns; do
   iptables -A INPUT -s $ip -p udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A OUTPUT -d $ip -p udp --dport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A FORWARD -d $ip -p udp --dport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A INPUT -s $ip -p tpc --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A OUTPUT -d $ip -p tcp --dport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
   iptables -A FORWARD -d $ip -p tcp --dport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
done
iptables -A FORWARD -p udp --dport 53 -j REJECT
iptables -A FORWARD -p tcp --dport 53 -j REJECT

For example, if I put the cloudflare dns on a computer on the local network (1.1.1.1 1.0.0.1) the PC has internet access

PD:

  1. The rule “-m state –state RELATED,ESTABLISHED” is in this question selected as correct
  2. The blocking rule is in this question selected as correct
  3. I have tried the same blocking rule on all chains (INPUT, Mangle, OUTPUT, FORWARD) and change REJECT with DROP and it does not block

thanks

How can I restart iptables without losing the limit tables?

I want to restart iptables but don’t want the limit tables be be purged. How can I do this?

/proc/net/xt_recent/*
/proc/net/ipt_hashlimit/*

iptables – Redirecting torrent traffic to another gateway

I need to redirect all of torrent traffic in my entire network to one specific gateway.

Network address: 192.168.8.0/24
Main gateway is: 192.168.4.1
Torrent gateway is: 172.16.4.1

What I’ve already tried:

# Add a route to new table
ip route add default via 172.16.4.1 table 121
ip route add 192.168.8.0/24 via 192.168.8.1 table 121

# Rule for marked packets
ip rule add fwmark 0x121 lookup 121

# Mark torrent-related packages
iptables -t mangle -A PREROUTING -m string --algo bm --string "BitTorrent protocol" -j MARK --set-mark 0x121
iptables -t mangle -A PREROUTING -m string --algo bm --string "peer_id=" -j MARK --set-mark 0x121
iptables -t mangle -A PREROUTING -m string --algo bm --string ".torrent" -j MARK --set-mark 0x121
iptables -t mangle -A PREROUTING -m string --algo bm --string "announce.php?passkey=" -j MARK --set-mark 0x121
iptables -t mangle -A PREROUTING -m string --algo bm --string "torrent" -j MARK --set-mark 0x121
iptables -t mangle -A PREROUTING -m string --algo bm --string "announce" -j MARK --set-mark 0x121
iptables -t mangle -A PREROUTING -m string --algo bm --string "info_hash" -j MARK --set-mark 0x121
iptables -t mangle -A PREROUTING -m string --string "get_peers" --algo bm -j MARK --set-mark 0x121
iptables -t mangle -A PREROUTING -m string --string "announce_peer" --algo bm -j MARK --set-mark 0x121
iptables -t mangle -A PREROUTING -m string --string "find_node" --algo bm -j MARK --set-mark 0x121

And iptables -vnL -t mangle shows that there are hits for those rules, but the traffic still goes through the main gateway. So how to do redirect properly?

firewall – How can I use iptables to drop packages for an invalid ether-type?

19:27:47.782291 98:9b:cb:: > ff:ff:ff:ff:ff:ff, ethertype Unknown (0x88e1), length 60:
        0x0000:  0000 a000 b052 38e5 d57f 0000 0000 0000  .....R8.........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
19:27:47.782293 98:9b:cb:: > ff:ff:ff:ff:ff:ff, ethertype Unknown (0x8912), length 60:
        0x0000:  0170 a000 0000 1f84 e5a3 97a2 5553 bef1  .p..........US..
        0x0010:  fcf9 796b 5214 13e9 e200 0000 0000 0000  ..ykR...........
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............

My router is sending this garbage into my network and I’d like to block it, as one cannot disable it. Doing so via iptables has proven to be more challenging than I thought it would be:

root@fw:~ # iptables -A INPUT -m mac --mac-source 98:9b:cb:: -p 0x88e1 -j DROP
iptables v1.8.2 (nf_tables): unknown protocol "0x88e1" specified
Try `iptables -h' or 'iptables --help' for more information.

Is there any way to block an invalid ether-type?

debian – Interactions between iptables and ip route configurations

I started learning routing under Linux and confused about configurations that are done using iptables and ip route. I saw a diagram here and here that are about stages that iptables chains and rules activated and used. In these diagrams, in multiple section routing is mentioned. I thought it’s when ip route‘s routes get involved.

Q: I need to know what routes/part of routing (routes that is displayed with command ip route) is activated/used and in what stages?

iptables – How to redirect port 80 to 8080 while keeping 8080 closed to the Internet?

I have a VM running CentOS with a web server I use for hosting random services I deploy over there, so in order to make it reachable from the Internet I opened port 80 using iptables. Since the web server itself is running as a service under a dedicated user that is not root, it is not able to use port 80 directly. Thus, after giving the docs a read, I added a redirection from port 80 to 8080 so the web server could be bound to that port (I do plan to add support for HTTPS later, maybe I will buy a proper domain and then use Let’s Encrypt or something).

So far it has been working fine, but more recently I have noticed that the port 8080 was left open wide as well, so any requests targeting either port 80 or 8080 would get the same response. The thing is, I need only port 80 to be reachable from outside, because somehow my provider considers leaving the port 8080 open some sort of potential abuse? Either way, I don’t want external requests directed to port 8080 to get a response, only those who target port 80 should get any.

So far, this is how my config file for iptables looks like:

*nat
:PREROUTING ACCEPT (89:7936)
:INPUT ACCEPT (70:3812)
:OUTPUT ACCEPT (41:2756)
:POSTROUTING ACCEPT (41:2756)
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
*filter
:INPUT ACCEPT (916:134290)
:FORWARD ACCEPT (0:0)
:OUTPUT ACCEPT (819:117300)
:f2b-sshd - (0:0)
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

I tried removing the rule that opens the port 8080, but after reloading iptables the server would not respond to requests from port 80 either. More recently I have been thinking of maybe adding another redirection rule that would change the source IP to something specific to accept in port 8080, but I am not sure if that will work. I need guidance here.

Note: I’m not too experienced with this tool, that is the main source of my doubts. Also, perhaps I’m missing some rules that could be useful, so any suggestions for new rules in the comments below will be appreciated.