KVM + Cloudmin + IpTables

Alex asked:

I have a KVM virtualization on a machine. I use Ubuntu Server + Cloudmin (in order to manage virtual machine instances).

On a host system I have four network interfaces:

ebadmin@saturn:/var/log$ ifconfig
br0       Link encap:Ethernet  HWaddr 10:78:d2:ec:16:38
    inet addr:192.168.0.253  Bcast:192.168.0.255  Mask:255.255.255.0
    inet6 addr: fe80::1278:d2ff:feec:1638/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    RX packets:589337 errors:0 dropped:0 overruns:0 frame:0
    TX packets:334357 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:753652448 (753.6 MB)  TX bytes:43385198 (43.3 MB)

br1       Link encap:Ethernet  HWaddr 6e:a4:06:39:26:60
    inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
    inet6 addr: fe80::6ca4:6ff:fe39:2660/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    RX packets:16995 errors:0 dropped:0 overruns:0 frame:0
    TX packets:13309 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2059264 (2.0 MB)  TX bytes:1763980 (1.7 MB)

eth0      Link encap:Ethernet  HWaddr 10:78:d2:ec:16:38
    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    RX packets:610558 errors:0 dropped:0 overruns:0 frame:0
    TX packets:332382 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:769477564 (769.4 MB)  TX bytes:44360402 (44.3 MB)
    Interrupt:20 Memory:fe400000-fe420000

lo        Link encap:Local Loopback
    inet addr:127.0.0.1  Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING  MTU:16436  Metric:1
    RX packets:239632 errors:0 dropped:0 overruns:0 frame:0
    TX packets:239632 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:50738052 (50.7 MB)  TX bytes:50738052 (50.7 MB)

tap0      Link encap:Ethernet  HWaddr 6e:a4:06:39:26:60
    inet6 addr: fe80::6ca4:6ff:fe39:2660/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    RX packets:17821 errors:0 dropped:0 overruns:0 frame:0
    TX packets:13703 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:500
    RX bytes:2370468 (2.3 MB)  TX bytes:1782356 (1.7 MB)

br0 is connected to a real network, br1 is used to create a private network shared between guest systems.

Now I need to configure iptables for network access.

First of all I allow ssh sessions on port 8022 on the host system, then I allow all connections in state RELATED, ESTABLISHED.

This is working ok.

I install another system as guest, it’s IP address is 192.168.10.2, and now I have two problems:

  1. I want to allow the access from this host to the outside world, cannot accomplish this. I can ssh from the host.

  2. I want to be able to ssh to the guest from the outside world using 8023 port. Cannot accomplish this.

Full iptables configuration is following:

ebadmin@saturn:/var/log$ sudo iptables --list
[sudo] password for ebadmin:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8022
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             LOG level warning

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             LOG level warning
ebadmin@saturn:/var/log$ sudo iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp spt:8023 to:192.168.10.2:22

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

The worst of all is that I don’t know how to interpret iptables logs. I don’t see the final decision of the firewall.

Need help urgently.

My answer:


Set up a second virtual NIC for the guest which is bridged to br0 on the host.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.