Fwd: Security in Virtual machine with DNAT

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alberto <alberto@bersol.info>
To: netfilter@vger.kernel.org
Subject: Fwd: Security in Virtual machine with DNAT
Date: Thu, 23 May 2013 10:27:56 +0200	[thread overview]
Message-ID: <519DD30C.70500@bersol.info> (raw)
In-Reply-To: <519DCEDC.9030704@bersol.info>

I have tried send in html format, with a graphic, but the list policy 
has not permitted me.

Sorry.
This is the plain text from the message.

-------- Mensaje original --------
Asunto: 	Security in Virtual machine with DNAT
Fecha: 	Thu, 23 May 2013 10:10:04 +0200
De: 	Alberto <alberto@bersol.info>
Para: 	netfilter@vger.kernel.org

Hi Everybody,

I have a Physical HOST (*/Server Fisico/*) connected to internet. It
have 2 network cards, the first one (*/eth0/*) connected to the router
and the Internet, another (/*eth1*/) is connected to LAN.
/*eth1*/ is bridged to virtual machines network, and one of them
(*/virtual1/*) have an HTTP Server. Everything is running correctly.

Escenario
I have IPTABLES Firewall running on the HOST with DNAT forwarding HTTP
traffic to /*Virtual1*/. I have IPTABLES Rules in HOST, for block some
IPs that give me problems, but these rules not protect to /*Virtual1*/.
All HTTP traffic is forwarded to /*Virtual1*/, even the source IP is
blocked for IPTABLES rules.

I had an attack, and I couldn't block the HTTP traffic about
/*Virtual1*/, the IPTABLES rules not affect it.

What can I do for give security to Virtual machines?
These are some rules:

     _Chain PREROUTING (policy ACCEPT 97192 packets, 8175K bytes)_
     pkts bytes target prot opt in out source destination
     374 20884 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
     to:Virtual1:80
     2 104 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 
to:Virtual1:443
     ...

     _Chain INPUT (policy DROP 39407 packets, 5120K bytes)_
     pkts bytes target prot opt in out source destination
     0 0 REJECT all -- * * 99.24.186.236 0.0.0.0/0 reject-with
     icmp-port-unreachable
     0 0 REJECT all -- * * 64.60.169.59 0.0.0.0/0 reject-with
     icmp-port-unreachable
     ...

Thanks a lot
Alberto

next      parent reply	other threads:[~2013-05-23  8:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <519DCEDC.9030704@bersol.info>
2013-05-23  8:27 ` Alberto [this message]
2013-05-24  9:02   ` Fwd: Security in Virtual machine with DNAT Vigneswaran R

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=519DD30C.70500@bersol.info \
    --to=alberto@bersol.info \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.