Even more IP Tables Lunacy

**suityou01** · 5 March 2015, 11:36

Originally posted by eek View Post

Good luck with that request.... You removed the only person able to help you in your conversation over the weekend...

So basically you don't know, have had to have me explain the question to you as you completely failed to understand the OP, slashed around wildly without actually knowing what you are talking about, trolled, did some trolling tags and then flounced from the thread?

Bit pathetic really, even for you.

**eek** · 5 March 2015, 11:42

Originally posted by suityou01 View Post

So basically you don't know, have had to have me explain the question to you as you completely failed to understand the OP, slashed around wildly without actually knowing what you are talking about, trolled, did some trolling tags and then flounced from the thread?

Bit pathetic really, even for you.

Given that you've already stated that KVM's current implementation doesn't work and has issues (or bugs in it) why do you think your firewall settings aren't affected by that bug....

I've already stated that you are utterly out of your depth and its plausible (in deemed very likely) what you want to do is not practically possible. Why on earth are you continuing to try and get something that may not be possible in this release working.....

**suityou01** · 5 March 2015, 11:45

Originally posted by eek View Post

Given that you've already stated that KVM's current implementation doesm't work and has bugs in it why do you think your firewall settings aren't affected by that bug....

I've already stated that you are utterly out of your depth and the thing you want to do is clearly not practically possible. Why on earth are you continuing to try and get something that may not be possible in this release working.....

Where did I state this?

The current implementation doesn't set up the firewall for you properly.
This is specifically a firewall question, with all the information necessary to help me.

Yes I do need help with this, which is why I came here for it.

But you do not know the answer to my specific question either, and are just here for a troll.

It is possible in this release, with the correct firewall settings. You have the wireshark trace output, so either you can help or you can't. If the latter, can you please just stop stinking up this thread with your incessant trolling please?

**eek** · 5 March 2015, 11:50

I'm merely performing the 1 million questions task we require to elaborate all the requirements you are hiding from us....

**Mattski** · 5 March 2015, 11:50

Sorry to interrupt the punchup, but I'm feeling charitable (and have a bit of time to kill...) so I'll try to help. Got a meeting in 20 so I'll be tied up for an hourish.

The KVM host - some questions:

- What OS & version? (I assume RHEL or some derivative thereof?)
- What network interfaces are available? (ifconfig / ip link / whatever etc.)
- What are the current iptables rules in place relevant to this issue?

Feel free to PM me if you like.

**suityou01** · 5 March 2015, 11:50

Originally posted by eek View Post

I'm merely performing the 1 million questions task we require to elaborate all the requirements you are hiding from us....

Where are your questions?

**suityou01** · 5 March 2015, 11:54

Originally posted by Mattski View Post

Sorry to interrupt the punchup, but I'm feeling charitable (and have a bit of time to kill...) so I'll try to help. Got a meeting in 20 so I'll be tied up for an hourish.

The KVM host - some questions:

- What OS & version? (I assume RHEL or some derivative thereof?)
- What network interfaces are available? (ifconfig / ip link / whatever etc.)
- What are the current iptables rules in place relevant to this issue?

Feel free to PM me if you like.

Centos 7
Host (192.168.0.5)
Virtual network bridge (10.0.0.1)
Guest (10.0.0.222)

Code:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.0.5         10.0.0.0/24         
ACCEPT     all  --  anywhere             10.0.0.0/24          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.0.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

The rule I added while failing to solve this is in bold. The rest are added by libvirt.

**suityou01** · 5 March 2015, 11:58

Mattski, this is what I am reading :

https://libvirt.org/firewall.html

•type=nat

Allow inbound related to an established connection. Allow outbound, but only from our expected subnet. Allow traffic between guests. Deny all other inbound. Deny all other outbound. target prot opt in out source destination
ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

So you can see libvirt adds rules to allow traffic between the guests and from the guests out. I want to sort out the problem in wireshark that says from host > guest the ldap connection synack is getting blocked.

NB 192.168.122.0/24 is there example. I am using 10.0.0.0/24

**stek** · 5 March 2015, 12:37

What's the output of netstat -rn

**suityou01** · 5 March 2015, 12:41

Originally posted by stek View Post

What's the output of netstat -rn

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 em2
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 virbr0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 em2
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 em2

Even more IP Tables Lunacy

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Even more IP Tables Lunacy

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Tag Cloud