EXECUTIVE SUMMARY
My Ubuntu VM (hostname fubar) is making the ip address (eth0 169.254.32.15) of one interface visible to hosts reachable by another interface (eth1 10.3.17.129/23).
I want "ssh [email protected]" from machines on the 10.3.16.0/23 to not connect to fubar.
DETAILS
the interfaces on my Ubuntu VM:
root@fubar:~# ifconfig
eth0 Link encap:Ethernet HWaddr 4e:12:0f:0b:48:91
inet addr:169.254.32.15 Bcast:169.254.63.255 Mask:255.255.224.0
inet6 addr: fe80::4c12:fff:fe0b:4891/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)
eth1 Link encap:Ethernet HWaddr 92:fe:57:11:bd:6c
inet addr:10.3.17.129 Bcast:10.3.17.255 Mask:255.255.254.0
inet6 addr: fe80::90fe:57ff:fe11:bd6c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2471362 errors:0 dropped:0 overruns:0 frame:0
TX packets:71144 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:337482223 (337.4 MB) TX bytes:5136143 (5.1 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1184 (1.1 KB) TX bytes:1184 (1.1 KB)
root@fubar:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.3.16.1 0.0.0.0 UG 0 0 0 eth1
10.3.16.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1
169.254.32.0 0.0.0.0 255.255.224.0 U 0 0 0 eth0
root@fubar:~# uname -a
Linux fubar 3.19.0-80-generic #88~14.04.1-Ubuntu SMP Fri Jan 13 14:54:07 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
root@fubar:~# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:5617 0.0.0.0:* LISTEN
tcp 0 0 169.254.32.15:5617 10.3.17.28:50841 ESTABLISHED
tcp 0 0 10.3.17.129:5617 10.3.16.65:38753 ESTABLISHED
tcp6 0 0 :::5617 :::* LISTEN
udp 0 0 0.0.0.0:9797 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp6 0 0 :::1269 :::*
eth1 is intended to be externally facing. Eth0 is connected to another VM (and nothing else) via a virtual bridge.
The undesired behavior is that when I ssh from another VM (10.3.17.28) to 169.254.32.15 it successfully connects to fubar (see netstat output above). How can I stop this from happening?
Interface stats show the packets for this SSH are actually going over eth1. Obviously fubar is making 169.254.32.15 visible to the 10.3.16/23 network but I don't know why.
Why is this happening? How can I stop it from happening?
EDIT1: iptables data collected as requested
root@fubar:~# iptables -v -x -n -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@fubar:~# iptables -t nat -v -x -n -L
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@fubar:~#