Reindl Harald wrote:
Am 24.07.2013 14:55, schrieb Patrick Lists:
Hi,
I just did a fresh F19 x86_64 install on my workstation, copied a Virtual Machine to it and started the VM (has IP
addr 192.168.122.20). Now I would like to be able to ssh into the VM from another box on my local LAN like my
laptop. Thus far I can't make it work. Steps:
Opened firewall-config
Set the firewall zone of my Ethernet interface to Trusted:
Options -> Change Zone of Connections -> <interface> -> Edit -> General -> Firewall zone -> Trusted
Click on the reload icon
Set the default zone to Trusted:
Options -> Change Default Zone -> Trusted
Click on the reload icon
Results:
Can not ping VM from laptop:
[patrick@laptop ~]$ ping 192.168.122.20
PING 192.168.122.20 (192.168.122.20) 56(84) bytes of data.
From 10.0.0.135 icmp_seq=1 Destination Port Unreachable
Can not ssh from the laptop to the VM:
[patrick@laptop ~]$ ssh 192.168.122.20
ssh: connect to host 192.168.122.20 port 22: Connection refused
On the workstation IPv4 forwarding is on:
$ cat /proc/sys/net/ipv4/ip_forward
1
So how do I make firewalld allow pings and ssh from remote hosts?
no idea about firewalld, with iptables.service it is easy
however you need iptables-forwarding and masquerade for NAT
* vmnet8 -> virtual interface the VM's are running on
* eth0 -> LAN interface of the host
* 10.0.0.0/24 -> LAN network (host and other machines)
* 192.168.197.0 -> Network with the VMs
iptables -A FORWARD -i eth0 -o vmnet8 -s 10.0.0.0/24 -d 192.168.197.0 -j ACCEPT
iptables -A FORWARD -i vmnet8 -o eth0 -s 192.168.197.0 -d 10.0.0.0/24 -j ACCEPT
iptables -A POSTROUTING -o vmnet8 -t nat -s 10.0.0.0/24 -j MASQUERADE
Several thoughts on this, first this should come after the rule Fedora provides,
to ACCEPT packets ESTABLISHED or RELATED. That means that once the connection is
set up, the first rule will accept the packets, and reduce CPU usage as well as
latency.
The other is less obvious, these rules should be qualified with tests for NEW
connections, so some tricks involving sending in a packet as if it were part of
an existing connection won't work.
So if you add:
-m state --state NEW
to those rules before -j, you will cheaply protect machines beyond the firewall.
Yes, there are some obscure protocols which fail to be set ESTABLISHED,
hopefully these are uncommon enough that if you use them you can put other
qualifiers on the connect. I have run several years without having a legitimate
packet dropped, but logging shows people sending crafted packets which do (and
should) get dropped.
Just the musings of an old paranoid, I like firewalls based on "everything not
explicitly allowed is forbidden." Oh, I drop all protocols except the ones I use
like udp, tcp, and icmp. Amazing what my logs show.
--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org