Need help with nwfilter part of libvirt VM package

I'm really bad at subnetting i think i overwrote 255.255.0.0 with 255.255.255.0, i'm a bit confused I like to block all Local network acces except for the minimum for the VM to reach the internet allowing 192.168.122.1(Gateway?) and 192.168.122.255(Broadcast?) wasnt enough? https://paste.simplylinux.ch/view/a0f14e76#Ys8nwq1NIWWXHrWOHp5UbtmaGoA6UPGz
CF
Cyber Forum272d ago
Post created!
🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord 🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Profile" role in <id:customize> ✅ You can mark a message as the answer for your post with Right click -> Apps -> Mark Solution (if you don't see the option, try refreshing Discord with Ctrl + R)
From An unknown user
W
Wagon272d ago
Good afternoon, can I ask how are you hosting this VM?
K
Khenton272d ago
Good day , It is hosted locally on Ubuntu 22,04 with mostly the default options using the standard dhcp 192.168.122.x I did not change the default i think it is partly bridged? The device is wireless so it cant be a full bridge? soo much informaton im really confused could you elaborate on your question?
C
Carson272d ago
First off, do you know what your cidr is?
K
Khenton272d ago
I think it did comeup in my research but i dont fully remember wasnt that when you steal as many bits as you can from the host bits? oh no that was something else i think it reverse to class D/E in the ABCDE system?
C
Carson272d ago
IPAddressGuide.com
CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
Free IP address tool to translate IPv4 address range into CIDR (Classless Inter-Domain Routing) format and vice-versa.
K
Khenton272d ago
maybe im confusing stuff oh yes i know that every ocated adds 8 to the slash
C
Carson272d ago
You sure?
K
Khenton272d ago
because every part has 8 bits well i think you are implying i use the mask wrong i have that feeling too but not completely sure how to go abou it
C
Carson272d ago
So you blocked all access? Even the gateway and broadcast?
K
Khenton272d ago
yes that is what i try to undo with
<rule action='accept' direction='inout' priority='400'>
<ip dstipaddr='192.168.122.0' dstipmask='24'/>
</rule>
<rule action='accept' direction='inout' priority='400'>
<ip dstipaddr='192.168.122.0' dstipmask='24'/>
</rule>
` It allows everything in the 192.168.122.x (0-255) It works but i would like to narrow it down further dstipaddr='192.168.122.0' dstipmask='24 means 192.168.122.0 255.255.255.0 if i understand the documentation while dstipmask='16' means 255.255.0.0
C
Carson272d ago
Yes, that is correct
K
Khenton272d ago
What are the mimum ips that should be allowed?
C
Carson272d ago
What are you trying to do?
K
Khenton272d ago
i want the VM to reach the internet freely but no acces to any local netoworks
C
Carson272d ago
Let a static IP with a cidr of 32
K
Khenton272d ago
there are currently 3. There is 192.168.0.1(Modem ISP) 192.168.2.1(my router) and 192.168.122.1(libvirts dhcp/switch)
C
Carson272d ago
I get what you're trying to do. But what is your use case for it since it is a home network.
K
Khenton272d ago
i did asign it the static ip of 192.168.122.20 Online Gaming
C
Carson272d ago
Do you know that you are double NATed? Um.... why?
K
Khenton272d ago
By my isp and my own router? or do you mean that i have the host and vm on different subnets?
C
Carson272d ago
Did you just plug your router into your modem?
K
Khenton272d ago
Yes My current isp didnt allow bridge mode
C
Carson272d ago
What ISP do you have?
K
Khenton272d ago
I'm from Europe lol It was the only optic fibre in my neighbourhood at the time
C
Carson272d ago
What ISP do you have?
K
Khenton272d ago
but how does this all relate to my issue?
W
w33t272d ago
Basically, you're gonna want to put your modem into a bridge or transparent mode, then have your router/firewall handle all of that. A double nat scenario adds a lot of clownery that's a pain to deal with.
K
Khenton272d ago
unfotunatly that isnt possible
W
w33t272d ago
You don't need to mess with your network or broadcast. Your best bet is to either make a vLAN and disable inter-vlan communication or just give it an ip with /32 within that range so it's not on any "network" that can receive communication It'll work with double-nat but just be aware that it may cause some weird problems with game servers
K
Khenton272d ago
could you outline an example? im vry new to networking as you have noticed
C
Carson272d ago
NETGEAR KB
What is double NAT and why is it bad?
Double NAT occurs when you connect your router to an ISP gateway or another router.
K
Khenton272d ago
I guess i have always done double natted gaming than with a VM it will be tripple natting unless i use full bridge on the host but that only works over LAN i think changing my whole network probably is not something feasable at this time but the original question was which ips should the vm have acces to to reach the internet in the 192.168.122.x range
C
Carson272d ago
The gateway
W
w33t272d ago
Like Carson said, the gateway is gonna handle all of your traffic inbound and outbound
K
Khenton265d ago
i tried allowing just 192.168.122.1 but it didnt seem to work was my use of network mask ok? I will try some more things tommorow thank you for your time The issue was that although the network was properly filtered on the VM level the host was passing the all network packets through the gateway 192.168.122.1 by adding the folowing forward rules in iptable sudo iptables -I FORWARD -s 192.168.122.20/32 -d 192.168.0.0/16 -j DROP sudo iptables -I FORWARD -s 192.168.0.0/16 -d 192.168.122.20/32 -j DROP
More Posts
my rockstar games account has been hackedbasically my rockstar account has been hacked, found out when i went to buy red dead redemption agaiNot Able To Go Onto Site with my Default Gateway (Port Forwarding)When I search the gateway on Google, it just keeps loading and doesnt give the site where I can insered bar tool possible hacking tool?I was outside a shop and saw a shifty looking guy I payed no mind but I turn around and he has a redI got hackedHe hacked my email and somehow gotten into it when I gave no one my email nor password and I didn't Infected w malwareSo I got hacked via discord, I know who did it, they don’t speak english, they bought boosts thru myWhat are these Linux Commands doing?`python ../../tools/Loki/loki.py -p .`, So what this says is: 1. Go up 2 directories 2. Navigate fWill factory resetting my pc remove spyware/malware?Hi, so my computer was recently hacked, where the hacker got access to all my files, passwords, and HELP my pc is stuck in restart and it’s keep restarting itselfHELP I TRIED TO RESTART MY PC BUT ITS STUCK IN RESTART AND LOADING OVER AND OVER AGAINFan IssuesBefore I go out spending money, I would like to double check with you all that this is not supposed Forum Bot TestbababooeyFake pictures?/False profile?/Hacked?Hello, I'm not one to post on a public form. But, I'm in a tough spot to say the least. So I'll jusAnyone know anything about networksCan anyone help me with an add on for application netlimiter 4?Need help for running a ZAP scan for APIs.I'm trying to configure the postman with ZAP so I can capture the API request and then scan them, buNeed help enabling user bot commandsHey everyone!, I have created my first discord bot using python and the bot does show it connects iWindows 10 recovery media@everyone srry for ping but may someone help me, I have 3f0 boot error, and I got no other laptops, Problem with multi-handler on Evil-Droidhello, when i launch my listening, my terminal goes black i didn't see what i'm righting or the resuWindows updateIt doesn’t update anything help me pleasehelp :)Hello im new to kali linux… and wlan0 does not work, i tried that compat think but it doesen t work What do I need to do to land a job in an SOC as a relative beginner?I want to work in an SOC. Until recently, I was a physical "SOC Analyst" for a Fortune 50 company. MSetup wireguard on local pc and mac laptop (acces from wan remote desktop)Hi all. I need to setup fast and save connection to access my windows pc (remote desktop) from my ma