Originally posted by stek
View Post
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Reply to: More IPTables lunacy
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "More IPTables lunacy"
Collapse
-
Actually the hook script was down to me.
First problem is you need to make the script executable
Code:chmod -x /etc/libvirt/hooks/qemu
The script runs from the command line, and has command line arguments which specify the machine name, and machine status.
So if your machine name is WIN_7_GUEST then the script should look like
Code:#!/bin/sh GUEST_NAME=Win_7_GUEST GUEST_PORT=5902 if [ "$1" = "$GUEST_NAME" ]; then if [ "$2" = start ]; then iptables -I INPUT 1 -p tcp --dport "$GUEST_PORT" \ -j ACCEPT elif [ "$2" = stopped ]; then iptables -D INPUT 1 -p tcp --dport "$GUEST_PORT" \ -j ACCEPT fi fi
Leave a comment:
-
OK so I have a hackaround.
Code:iptables I INPUT 1 -p tcp --dport 5902 -j ACCEPT
However I did find out that qemu (thats the hypervisor) supports hooks. So it's possible to write a script that runs when a VM is sparked up and shut down to add the necessary rules to iptables and remove them respectively.
So here's what I did.
/etc/libvirt/hooks/qemu
Code:#!/bin/sh GUEST_NAME HOST_PORT GUEST_IPADDR GUEST_PORT if [ "$1" = "$GUEST_NAME" ]; then if [ "$2" = start ]; then iptables -I INPUT 1 -p -tcp --dport "$GUEST_PORT" \ -j ACCEPT elif [ "$2" = stopped ]; then iptables -D INPUT 1 -p -tcp --dport "$GUEST_PORT" \ -j ACCEPT fi fi
So for now I have to do this manually from an elevated shell.
So I have a hackaround for now at least.
Leave a comment:
-
OK so the hackaround option seems to not work either
I started firewalld, started the hypervisor.
Output from iptables -L seems ok now.
Boot VM. VM has internet access and I cannot connect to it remotely. All familiar.
Then from an elevated shell I type
Code:iptables -A INPUT -p tcp --dport 5902 -j ACCEPT
Try to connect remotely and still no.
Output of iptables -L?
Code:Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT tcp -- anywhere anywhere tcp dpt:5902
Edit : -A means append so I guess that's fair enough, but still annoying.Last edited by suityou01; 28 February 2015, 15:19.
Leave a comment:
-
Just did a restart of firewalld and hypervisor and it works again, but no internet access for the guest.
Flaky as hell.
Edit : Here is the output of iptables -L since restarting the services
Code:Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Hence also why I can connect to it remotely.
So it seems I have to now get libvirt to open 5902 by loading it's own rule into iptables.
Which brings me back to my hack around option.Last edited by suityou01; 28 February 2015, 14:59.
Leave a comment:
-
output fromCode:iptables -L
Code:Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 10.0.0.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 10.0.0.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere FORWARD_direct all -- anywhere anywhere FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere FORWARD_IN_ZONES all -- anywhere anywhere FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere FORWARD_OUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination OUTPUT_direct all -- anywhere anywhere Chain FORWARD_IN_ZONES (1 references) target prot opt source destination FWDI_public all -- anywhere anywhere [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination FWDO_public all -- anywhere anywhere [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_direct (1 references) target prot opt source destination Chain FWDI_public (1 references) target prot opt source destination FWDI_public_log all -- anywhere anywhere FWDI_public_deny all -- anywhere anywhere FWDI_public_allow all -- anywhere anywhere Chain FWDI_public_allow (1 references) target prot opt source destination Chain FWDI_public_deny (1 references) target prot opt source destination Chain FWDI_public_log (1 references) target prot opt source destination Chain FWDO_public (1 references) target prot opt source destination FWDO_public_log all -- anywhere anywhere FWDO_public_deny all -- anywhere anywhere FWDO_public_allow all -- anywhere anywhere Chain FWDO_public_allow (1 references) target prot opt source destination Chain FWDO_public_deny (1 references) target prot opt source destination Chain FWDO_public_log (1 references) target prot opt source destination Chain INPUT_ZONES (1 references) target prot opt source destination IN_public all -- anywhere anywhere [goto] Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination Chain INPUT_direct (1 references) target prot opt source destination Chain IN_public (1 references) target prot opt source destination IN_public_log all -- anywhere anywhere IN_public_deny all -- anywhere anywhere IN_public_allow all -- anywhere anywhere Chain IN_public_allow (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW ACCEPT tcp -- anywhere anywhere tcp dpt:5901 ctstate NEW Chain IN_public_deny (1 references) target prot opt source destination Chain IN_public_log (1 references) target prot opt source destination Chain OUTPUT_direct (1 references) target prot opt source destination
Leave a comment:
-
OK so I'm leaning towards Stek's Linux is crap argument slightly more.
WFH on this now so I opened 5902 on the router, opened 5902 in iptables with a slightly different statement this time
Code:-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 5902 -m comment --comment "SPICE Client" -j ACCEPT
Except that the VM no longer has internet access, ie NAT is not forwarding on for some reason.
Fairy snuff.
Code:systemctl restart firewalld
Restart VM. Bingo, internet access.
But I can no longer connect using remote viewer.
OK so spin up Wireshark and slap a Display filter on tcp.port eq 5902
Very enlightening.
Code:5902 7.874682000 192.168.0.5 90.195.100.51 ICMP 94 Destination unreachable (Host administratively prohibited)
Note, no firewall rules were changed since it last worked.
Irgo I conclude libvirt is adding something to the inbound rule chain that is overriding my rule and blocking me.
Leave a comment:
-
Originally posted by stek View PostQuick look at err, one at work...
Try setting iptables to allow TCP ports 5801, 5901 and 6001....... Or 5800, 5900 and 6000 etc....
AIUI - those are needed for VNC viewer, client and server respectively...
The ports and ranges have been opened. I think the problem lies in that when KVM starts the NAT, libvirt adds it's own rules to ip tables for the NAT.
So I open port 5902 or whatever, restart IPTables, and restart the hyper visor then grep the port with IPTables and its mysteriously not there.
I'm looking at a hack around, to get libvvirt to add the port rules instead of adding them to ip tables. Just some scripting.
Seems completely mental that you can add a guest, configure the port and that KVM handles the NATTING from guest to outside world but doesn't handle outside world to guest. It's like out of box you can have as many VMs as you want, but just don't expect to talk to them ever
Leave a comment:
-
Quick look at err, one at work...
Try setting iptables to allow TCP ports 5801, 5901 and 6001....... Or 5800, 5900 and 6000 etc....
AIUI - those are needed for VNC viewer, client and server respectively...
Leave a comment:
-
5901 is vnc. That works.
5900 - 5910 was originally open as a range. Then I reverted to a single port.
News is that wireshark reveals that it is the outbound connection from 192.168.0.5 to 192.168.0.10 that is being refused.
So the incoming ack gets through. This smells right to me as now the virt-viewer is just sitting there saying connection.
Kind of Ack .........
And no Syn ever comes.
I added and outbound rule for the same port and restarted the services but still nichts.
Proper grateful for your time Mr Stek. Reckon this one might be unsolvable via a forum.
Leave a comment:
-
Originally posted by suityou01 View PostLol. You don't remember the last load of fun and games with that?
If NAT is working without the poxy firewall then it can't be the NAT.
This has to be a pure IPTables problem, Shirley?
Code:blah blah -m multiport --dports 5901:5906,6001:6006 blah blah
Leave a comment:
-
Lol. You don't remember the last load of fun and games with that?
If NAT is working without the poxy firewall then it can't be the NAT.
This has to be a pure IPTables problem, Shirley?
Leave a comment:
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: