ambitious-aqua•3y ago
Need help with nwfilter part of libvirt VM package
I'm really bad at subnetting i think i overwrote 255.255.0.0 with 255.255.255.0, i'm a bit confused
I like to block all Local network acces except for the minimum for the VM to reach the internet
allowing 192.168.122.1(Gateway?) and 192.168.122.255(Broadcast?) wasnt enough?
https://paste.simplylinux.ch/view/a0f14e76#Ys8nwq1NIWWXHrWOHp5UbtmaGoA6UPGz
36 Replies
Post created!
🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord
🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Profile" role in <id:customize>
✅ You can mark a message as the answer for your post with
Right click -> Apps -> Mark Solution
(if you don't see the option, try refreshing Discord with Ctrl + R)
Good afternoon, can I ask how are you hosting this VM?
ambitious-aquaOP•3y ago
Good day , It is hosted locally on Ubuntu 22,04 with mostly the default options
using the standard dhcp 192.168.122.x
I did not change the default i think it is partly bridged?
The device is wireless so it cant be a full bridge?
soo much informaton im really confused could you elaborate on your question?
national-gold•3y ago
First off, do you know what your cidr is?
ambitious-aquaOP•3y ago
I think it did comeup in my research but i dont fully remember
wasnt that when you steal as many bits as you can from the host bits?
oh no that was something else
i think it reverse to class D/E in the ABCDE system?
national-gold•3y ago
IPAddressGuide.com
CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
Free IP address tool to translate IPv4 address range into CIDR (Classless Inter-Domain Routing) format and vice-versa.
ambitious-aquaOP•3y ago
maybe im confusing stuff
oh
yes i know that
every ocated adds 8 to the slash
national-gold•3y ago
You sure?
ambitious-aquaOP•3y ago
because every part has 8 bits
well i think you are implying i use the mask wrong i have that feeling too but not completely sure how to go abou it
national-gold•3y ago
So you blocked all access?
Even the gateway and broadcast?
ambitious-aquaOP•3y ago
yes that is what i try to undo with `
It allows everything in the 192.168.122.x (0-255)
It works but i would like to narrow it down further
dstipaddr='192.168.122.0' dstipmask='24 means 192.168.122.0 255.255.255.0 if i understand the documentation while dstipmask='16' means 255.255.0.0
national-gold•3y ago
Yes, that is correct
ambitious-aquaOP•3y ago
What are the mimum ips that should be allowed?
national-gold•3y ago
What are you trying to do?
ambitious-aquaOP•3y ago
i want the VM to reach the internet freely but no acces to any local netoworks
national-gold•3y ago
Let a static IP with a cidr of 32
ambitious-aquaOP•3y ago
there are currently 3. There is 192.168.0.1(Modem ISP) 192.168.2.1(my router) and 192.168.122.1(libvirts dhcp/switch)
national-gold•3y ago
I get what you're trying to do.
But what is your use case for it since it is a home network.
ambitious-aquaOP•3y ago
i did asign it the static ip of 192.168.122.20
Online Gaming
national-gold•3y ago
Do you know that you are double NATed?
Um.... why?
ambitious-aquaOP•3y ago
By my isp and my own router?
or do you mean that i have the host and vm on different subnets?
national-gold•3y ago
Did you just plug your router into your modem?
ambitious-aquaOP•3y ago
Yes
My current isp didnt allow bridge mode
national-gold•3y ago
What ISP do you have?
ambitious-aquaOP•3y ago
I'm from Europe lol
It was the only optic fibre in my neighbourhood at the time
national-gold•3y ago
What ISP do you have?
ambitious-aquaOP•3y ago
but how does this all relate to my issue?
Basically, you're gonna want to put your modem into a bridge or transparent mode, then have your router/firewall handle all of that. A double nat scenario adds a lot of clownery that's a pain to deal with.
ambitious-aquaOP•3y ago
unfotunatly that isnt possible
You don't need to mess with your network or broadcast. Your best bet is to either make a vLAN and disable inter-vlan communication or just give it an ip with /32 within that range so it's not on any "network" that can receive communication
It'll work with double-nat but just be aware that it may cause some weird problems with game servers
ambitious-aquaOP•3y ago
could you outline an example?
im vry new to networking as you have noticed
national-gold•3y ago
NETGEAR KB
What is double NAT and why is it bad?
Double NAT occurs when you connect your router to an ISP gateway or another router.
ambitious-aquaOP•3y ago
I guess i have always done double natted gaming than
with a VM it will be tripple natting
unless i use full bridge on the host but that only works over LAN i think
changing my whole network probably is not something feasable at this time
but the original question was which ips should the vm have acces to to reach the internet in the 192.168.122.x range
national-gold•3y ago
The gateway
Like Carson said, the gateway is gonna handle all of your traffic inbound and outbound
ambitious-aquaOP•3y ago
i tried allowing just 192.168.122.1 but it didnt seem to work
was my use of network mask ok?
I will try some more things tommorow thank you for your time
The issue was that although the network was properly filtered on the VM level the host was passing the all network packets through the gateway 192.168.122.1 by adding the folowing forward rules in iptable
sudo iptables -I FORWARD -s 192.168.122.20/32 -d 192.168.0.0/16 -j DROP
sudo iptables -I FORWARD -s 192.168.0.0/16 -d 192.168.122.20/32 -j DROP