KVM + Cloudmin + IpTables
- by Alex
I have a KVM virtualization on a machine. I use Ubuntu Server + Cloudmin (in order to manage virtual machine instances).
On a host system I have four network interfaces:
ebadmin@saturn:/var/log$ ifconfig
br0 Link encap:Ethernet HWaddr 10:78:d2:ec:16:38
inet addr:192.168.0.253 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::1278:d2ff:feec:1638/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:589337 errors:0 dropped:0 overruns:0 frame:0
TX packets:334357 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:753652448 (753.6 MB) TX bytes:43385198 (43.3 MB)
br1 Link encap:Ethernet HWaddr 6e:a4:06:39:26:60
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::6ca4:6ff:fe39:2660/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16995 errors:0 dropped:0 overruns:0 frame:0
TX packets:13309 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2059264 (2.0 MB) TX bytes:1763980 (1.7 MB)
eth0 Link encap:Ethernet HWaddr 10:78:d2:ec:16:38
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:610558 errors:0 dropped:0 overruns:0 frame:0
TX packets:332382 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:769477564 (769.4 MB) TX bytes:44360402 (44.3 MB)
Interrupt:20 Memory:fe400000-fe420000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:239632 errors:0 dropped:0 overruns:0 frame:0
TX packets:239632 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:50738052 (50.7 MB) TX bytes:50738052 (50.7 MB)
tap0 Link encap:Ethernet HWaddr 6e:a4:06:39:26:60
inet6 addr: fe80::6ca4:6ff:fe39:2660/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17821 errors:0 dropped:0 overruns:0 frame:0
TX packets:13703 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:2370468 (2.3 MB) TX bytes:1782356 (1.7 MB)
br0 is connected to a real network, br1 is used to create a private network shared between guest systems.
Now I need to configure iptables for network access.
First of all I allow ssh sessions on port 8022 on the host system, then I allow all connections in state RELATED, ESTABLISHED.
This is working ok.
I install another system as guest, it's IP address is 192.168.10.2, and now I have two problems:
I want to allow the access from this host to the outside world, cannot accomplish this. I can ssh from the host.
I want to be able to ssh to the guest from the outside world using 8023 port. Cannot accomplish this.
Full iptables configuration is following:
ebadmin@saturn:/var/log$ sudo iptables --list
[sudo] password for ebadmin:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:8022
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
ebadmin@saturn:/var/log$ sudo iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp spt:8023 to:192.168.10.2:22
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
The worst of all is that I don't know how to interpret iptables logs. I don't see the final decision of the firewall.
Need help urgently.