Maybe something like this?
- Kernel config # sysctl -p net.ipv4.conf.default.rp_filter = 1 net.ipv4.ip_forward = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.log_martians = 1 net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 20 net.ipv4.tcp_keepalive_probes = 9 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 - Network interfaces config # This is the host interface auto eth0 allow hot-plug eth0 iface eth0 inet static address 172.20.14.121 netmask 255.255.255.0 network 172.20.14.0 broadcast 192.168.0.255 gateway 172.20.14.1 dns-nameservers 172.20.14.1 8.8.8.8 search virtual.local auto virbr1 iface virbr1 inet static address 192.168.100.1 netmask 255.255.255.0 bridge_ports eth0 bridge_fd 0 bridge_stp off bridge_maxwait 0 - Firewall simple config # Set Default Policy to DROP iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Allow loopback and localhost access iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT # Defense for SYN flood attacks iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT # Set Default Connection States - accept all already established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Open DHCP and DNS for virbr1 iptables -A INPUT -p udp -m multiport --dports 67:68 -i virbr1 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 67:68 -i virbr1 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp --dport 53 -i virbr1 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp --dport 53 -i virbr1 -m state --state NEW -j ACCEPT # Masquerade iptables -t nat -A POSTROUTING -o eth0 -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE # Forward chain iptables -A FORWARD -i eth0 -o virbr1 -d 192.168.100.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i virbr1 -o eth0 -s 192.168.100.0/24 -j ACCEPT iptables -A FORWARD -i virbr1 -o virbr1 -j ACCEPT Now you can create VM's with their own virtual devices, ie vmdev0, vmdev1 etc, and simply add those devices to the virbr1. Then each of the VM's would have static config of their eth0 interface with ip of 192.168.100.0/24 range and 192.168.100.1 as default gateway. If you want to have the VM's get their ip via DHCP then you can install dnsmasq and attach a process to virbr1. Something like this: /usr/sbin/dnsmasq -u dnsmasq --strict-order --bind-interfaces \ --pid-file=/var/run/dnsmasq/virbr1.pid --conf-file= \ --except-interface lo --listen-address 192.168.100.1 \ --dhcp-range 192.168.100.10,192.168.100.20 \ --dhcp-leasefile=/var/run/dnsmasq/virbr1.leases \ --dhcp-lease-max=11 --dhcp-no-override The purpose of the VLAN you have created is not clear as they are usually used to extend a virtual network to more than one host. You will need 802.1Q kernel module enabled and 802.1Q VLAN enabled switch(s) in your network for this to work. Anyway, you can try adding the VLAN in the above configuration as an exercise, ie attach the vlan to eth0 and then include the vlan in the virbr1. Cheers, Igor On Wed, May 28, 2014 at 2:24 AM, <berenger.mo...@neutralite.org> wrote: > Hello list. > > I am trying to build a virtual network exposing servers accessible from > the LAN. > I have done a lot of searches on the web and it worked last week, but > since then, I have restarted my computer and had the nice surprise to learn > that the iptables command does not save it's configuration. > I tried to retrieve my configuration, but am failing ( I tried to > understand what I did with the history command, but sadly I am always > working with tons of terminals and so, I suspect that it is not the correct > history... ), and same to find anew the articles which actually make things > working. > > I had some network knowledge in the past, but never really practiced it, > so I have lost almost everything. I already have used some firewalls, but > those were some Windows ones ( I was not a linux user at that time ) and so > I have never played with iptables. > > So I ask for 2 things: > _ help on this particular problem > _ if someone knows about resources to learn and understand how exactly > iptables work, this would help me a lot in the future > > For my particular problem. > > I have an eth0 interface, the real one, on ip 172.20.14.0/24. > I made a vlan in my /etc/network/interfaces, like this: > ############################## > auto eth0.1 > iface eth0.1 inet static > address 10.10.10.1 > netmask 255.255.255.0 > vlan-raw-device eth0 > ############################## > > On that network, I have some VMs with static IPs, and the one on which I > try to make the configuration for testing and learning purpose have an > apache2 server running and up ( I can query on it from my physical computer > ). It is using 2 network interfaces, a NAT one and a bridge one, but for > others I would like to remove the NAT one, since I need them to simulate > the production servers ( which are VMs too, but my company does not control > the system on which they are running. Otherwise it would have be far > easier: I would have read how it does to understand things ) which only > have one interface ( eth0 ). > > Both LANs ( the physical one and the virtual one ) works perfectly, but > now I would like to allow 2 things: > _ VMs to access the physical LAN, so that they could access the apt proxy > I have installed there for installing softwares and updates > _ physical computers accessing VMs through some ports of my computer. For > example, redirecting "172.20.14.XX:80" to "10.10.10.30:80". I will do > that port forwarding for ssh ( port 22 ), http ( port 80 ) and postgresql ( > port 5432 ) connections in a first time. > > Thanks > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a > subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: https://lists.debian.org/fa67f2d6171898de5d691a72d17717 > 3...@neutralite.org > >
