Open Source Software and Linux

Nov 17 2008   6:32PM GMT

Setting up your firewall on domU with iptables

John Little Profile: Xjlittle

As discussed in an earlier post you must first hide your NIC from dom0 to set up your iptables firewall on your domU. After you have successfully hidden the NIC from dom0 then we can proceed to our domU firewall setup.

You must first decide which domU that you are going to use for a firewall. Personally I prefer my firewall domU to have nothing on it but iptables. I can then use POSTROUTING and PREROUTING to nat my outbound packets and redirect the new inbound packets to their correct destinations. After you have your domU built and working properly you need to make the following entry into the configuration file:

name = "fw0"
uuid = "203e2874-a08b-4065-7155-cdad1b5b7341"
maxmem = 256
memory = 256
vcpus = 1
bootloader = "/usr/bin/pygrub"
on_poweroff = "destroy"
on_reboot = "restart"
on_crash = "restart"
vfb = [ "type=vnc,vncunused=1,keymap=en-us" ]
disk = [ "phy:/dev/linux-virtuals/secure,xvda,w" ]
vif = [ "mac=00:16:3e:36:73:82,bridge=xenbr0" ]
pci = [ '01:02.0' ] =====Should be the same as obtained from your lspci command

Now start your domU. You should see a second interface, eth1, show up when you use ifconfig. There is no need to build an ifcfg-eth1 file for this as the operating system will take care of it for you. This is the interface that is connected to your DSL\Cable connection to the internet. Make sure that you have a cable plugged into the physical interface that [ '01:02.0' ] represents and the other end into your Cable or DSL modem. You should see that it gets a publicly routed interface like this:

[root@fw0 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:36:73:82
inet addr:172.16.0.254 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fe36:7382/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37856 errors:0 dropped:0 overruns:0 frame:0
TX packets:27763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7935825 (7.5 MiB) TX bytes:11696196 (11.1 MiB)

eth1 Link encap:Ethernet HWaddr 00:0E:0C:80:22:B8
inet addr:76.252.xxx.xxx Bcast:76.252.xxx.xxx Mask:255.255.255.0 ===This is the routable IP
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:28701 errors:0 dropped:0 overruns:0 frame:0
TX packets:28332 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:11911130 (11.3 MiB) TX bytes:7313287 (6.9 MiB)
Base address:0xb400 Memory:fea40000-fea60000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:50 errors:0 dropped:0 overruns:0 frame:0
TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:89159 (87.0 KiB) TX bytes:89159 (87.0 KiB)

[root@fw0 ~]#

The x’s are place in the last two octets for security reasons. However you can see by the first two octets that this is a publicly routable interface that got it’s address from my ISP provider.

Now to get your machines on your LAN out to the internet two things must happen. Their default gateway must be set to the ip address of eth0 on your domU. In my case this is 172.16.0.254. This is quite simple if you are using DHCP. Just make an entry like this into the dhcpd.conf file:

subnet 172.16.0.0 netmask 255.255.0.0 {
range 172.16.0.111 172.16.0.150;
option routers 172.16.0.254;=====set this option for your default gateway
option broadcast-address 172.16.255.255;
default-lease-time 259200;
max-lease-time 604800;
option domain-name-servers 172.16.0.205, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;
}

If you’re not using DHCP then you can make an entry either into /etc/sysconfig/network or /etc/sysconfig/network-scripts/ifcfg-eth* where the * is replaced by whatever your interface number is:

GATEWAY=172.16.0.254

Once that is done now we need to set up our masquerade so that our outbound packets are nat’d and we can browse the internet. On the firewall machine issue the following commands:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
service iptables save
service iptables restart

There you have it. Your domU is now connected to the internet, firewalling your network and allowing your internal machines on your LAN to browse the internet. This setup was done on CentOS 5.2 with the native virtualization that is built in.

-j

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: