Khenton
Khenton2y ago

Need help with nwfilter part of libvirt VM package

I'm really bad at subnetting i think i overwrote 255.255.0.0 with 255.255.255.0, i'm a bit confused I like to block all Local network acces except for the minimum for the VM to reach the internet allowing 192.168.122.1(Gateway?) and 192.168.122.255(Broadcast?) wasnt enough? https://paste.simplylinux.ch/view/a0f14e76#Ys8nwq1NIWWXHrWOHp5UbtmaGoA6UPGz
36 Replies
Cyber Forum
Cyber Forum2y ago
Post created!
🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord 🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Profile" role in <id:customize> ✅ You can mark a message as the answer for your post with Right click -> Apps -> Mark Solution (if you don't see the option, try refreshing Discord with Ctrl + R)
From An unknown user
Wagon
Wagon2y ago
Good afternoon, can I ask how are you hosting this VM?
Khenton
KhentonOP2y ago
Good day , It is hosted locally on Ubuntu 22,04 with mostly the default options using the standard dhcp 192.168.122.x I did not change the default i think it is partly bridged? The device is wireless so it cant be a full bridge? soo much informaton im really confused could you elaborate on your question?
Carson
Carson2y ago
First off, do you know what your cidr is?
Khenton
KhentonOP2y ago
I think it did comeup in my research but i dont fully remember wasnt that when you steal as many bits as you can from the host bits? oh no that was something else i think it reverse to class D/E in the ABCDE system?
Carson
Carson2y ago
IPAddressGuide.com
CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
Free IP address tool to translate IPv4 address range into CIDR (Classless Inter-Domain Routing) format and vice-versa.
Khenton
KhentonOP2y ago
maybe im confusing stuff oh yes i know that every ocated adds 8 to the slash
Carson
Carson2y ago
You sure?
Khenton
KhentonOP2y ago
because every part has 8 bits well i think you are implying i use the mask wrong i have that feeling too but not completely sure how to go abou it
Carson
Carson2y ago
So you blocked all access? Even the gateway and broadcast?
Khenton
KhentonOP2y ago
yes that is what i try to undo with
<rule action='accept' direction='inout' priority='400'>
<ip dstipaddr='192.168.122.0' dstipmask='24'/>
</rule>
<rule action='accept' direction='inout' priority='400'>
<ip dstipaddr='192.168.122.0' dstipmask='24'/>
</rule>
` It allows everything in the 192.168.122.x (0-255) It works but i would like to narrow it down further dstipaddr='192.168.122.0' dstipmask='24 means 192.168.122.0 255.255.255.0 if i understand the documentation while dstipmask='16' means 255.255.0.0
Carson
Carson2y ago
Yes, that is correct
Khenton
KhentonOP2y ago
What are the mimum ips that should be allowed?
Carson
Carson2y ago
What are you trying to do?
Khenton
KhentonOP2y ago
i want the VM to reach the internet freely but no acces to any local netoworks
Carson
Carson2y ago
Let a static IP with a cidr of 32
Khenton
KhentonOP2y ago
there are currently 3. There is 192.168.0.1(Modem ISP) 192.168.2.1(my router) and 192.168.122.1(libvirts dhcp/switch)
Carson
Carson2y ago
I get what you're trying to do. But what is your use case for it since it is a home network.
Khenton
KhentonOP2y ago
i did asign it the static ip of 192.168.122.20 Online Gaming
Carson
Carson2y ago
Do you know that you are double NATed? Um.... why?
Khenton
KhentonOP2y ago
By my isp and my own router? or do you mean that i have the host and vm on different subnets?
Carson
Carson2y ago
Did you just plug your router into your modem?
Khenton
KhentonOP2y ago
Yes My current isp didnt allow bridge mode
Carson
Carson2y ago
What ISP do you have?
Khenton
KhentonOP2y ago
I'm from Europe lol It was the only optic fibre in my neighbourhood at the time
Carson
Carson2y ago
What ISP do you have?
Khenton
KhentonOP2y ago
but how does this all relate to my issue?
w33t
w33t2y ago
Basically, you're gonna want to put your modem into a bridge or transparent mode, then have your router/firewall handle all of that. A double nat scenario adds a lot of clownery that's a pain to deal with.
Khenton
KhentonOP2y ago
unfotunatly that isnt possible
w33t
w33t2y ago
You don't need to mess with your network or broadcast. Your best bet is to either make a vLAN and disable inter-vlan communication or just give it an ip with /32 within that range so it's not on any "network" that can receive communication It'll work with double-nat but just be aware that it may cause some weird problems with game servers
Khenton
KhentonOP2y ago
could you outline an example? im vry new to networking as you have noticed
Carson
Carson2y ago
NETGEAR KB
What is double NAT and why is it bad?
Double NAT occurs when you connect your router to an ISP gateway or another router.
Khenton
KhentonOP2y ago
I guess i have always done double natted gaming than with a VM it will be tripple natting unless i use full bridge on the host but that only works over LAN i think changing my whole network probably is not something feasable at this time but the original question was which ips should the vm have acces to to reach the internet in the 192.168.122.x range
Carson
Carson2y ago
The gateway
w33t
w33t2y ago
Like Carson said, the gateway is gonna handle all of your traffic inbound and outbound
Khenton
KhentonOP2y ago
i tried allowing just 192.168.122.1 but it didnt seem to work was my use of network mask ok? I will try some more things tommorow thank you for your time The issue was that although the network was properly filtered on the VM level the host was passing the all network packets through the gateway 192.168.122.1 by adding the folowing forward rules in iptable sudo iptables -I FORWARD -s 192.168.122.20/32 -d 192.168.0.0/16 -j DROP sudo iptables -I FORWARD -s 192.168.0.0/16 -d 192.168.122.20/32 -j DROP

Did you find this page helpful?