I have a dedicated server (which I only use a lab/testing environment). On the server CentOS 5.6 is running and it is functioning as a KVM host.
To secure things a little I want to do the following use 'iptables' to only allow traffic from certain IP addresses (my own addresses).
My current iptables
configuration is looking as following:
[kvm]# iptables -L -v
Chain INPUT (policy ACCEPT 4927K packets, 6424M bytes)
pkts bytes target prot opt in out source destination
41 2744 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain
66 21810 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:bootps
3573K 3515M fail2ban-SSH tcp -- any any anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
470K 700M ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
171K 9558K ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 3115K packets, 5798M bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any somehost1.net anywhere
19 2176 DROP all -- any any somehost2.net anywhere
21 1668 DROP all -- any any somehost3.net anywhere
3573K 3515M RETURN all -- any any anywhere anywhere
I did not make any changes myself to the iptables
configuration although I think that KVM (virt-manager or the like) and fail2ban that made some changes to it.
Could somebody help me to create the iptables
script that ensures that KVM is still working but only traffic from certain IP address is allowed. ALL the rest can be dropped. There should not be any restriction from the server itself to the Internet.
Update: as requested output above is now with -v
.
This should work. Replace 192.168.0.1 with an IP address you want to have access.
Be careful, all other connections will be dropped (including your own one, if you are connected via SSH or telnet).
keeping the VM on a NAT-ed link will seriously hit it's preformance, using bridged networking is much faster and more efficient. The more simple setup would be to set up a bridge, and configure the VM's own firewall to drop whatever is unwanted