IPTables + NAT + Bridge for VMs as internal interface

[josh_b]

Hi folks,

Hope everyone is doing alright.

I am having trouble with my new IPTables firewall. In this case, the firewall houses some VMs which provide various services like DHCP, DNS, Web, etc. (I am on a big consolidation kick lately). Because of the VMs, I am using bridged networking on the internal interface for the firewall.

Here is the diagram:

(Internet) --> eth0 (hardware) -> MASQ -> br0

br0 is comprised of:

eth2, vmnet0, vmnet1, vmnet2. Clearly the vmnetX's are the KVM boxes I am running. I cna confirm that before I did the MASQ, I could access the internet from any of these machines, but now I would like to make the host PC the firewall and not use the IPCop machine I have been using (reliably) for years.

br0 has an address of 172.27.20.1/24, while vmnet0's OS has 172.27.20.2, vmnet1 has 172.27.20.4, and vmnet2 is 172.27.20.7. A reminder that eth0 (external interface to my Rogers internet) has not been bridged. It gets an IP and the host OS can surf the web without issue.

Here is my firewall script for your reference. I pray an iptables guru may come upon this thread and provide guidance.

Thanks!

-------------------

#!/bin/bash
# Version 0.1 of the new firewall configuration... here goes nothing!!!
# Josh Burstyn, June 04, 2008.

# /etc/firewall_start.sh

clear
echo -e ""
echo -e ""
echo -e "\aStarting up the firewall..."

echo -e ""
echo -e "Disabling STP on the bridges... Performance++"
brctl stp br0 off
brctl stp br1 off

echo -e ""
echo -e "Flushing existing rules down the toilet..."
iptables -F
iptables -F -t nat
iptables -F -t mangle

echo -e ""
echo -e "Deleting any predefined chains..."
iptables -X

echo -e ""
echo -e "Setting up forwarding in the kernel..."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo -e ""
echo -e "Making the default local POLICY secure..."
iptables -P INPUT DROP

echo -e ""
echo -e "Making 'lo' a trusted device..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo -e ""
echo -e "Allowing established connections back into our network..."
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo -e ""
echo -e "Allowing SSH connections to the local machine from outside..."
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

echo -e ""
echo -e "Allowing VPN traffic to enter the network via ppp interfaces..."
iptables -A INPUT -i ppp+ -j ACCEPT

echo -e ""
echo -e "Allowing traffic routed to the internal (InternetStylist) interface..."
iptables -A INPUT -i br0 -j ACCEPT

echo -e ""
echo -e "Allowing UDP traffic on the external interface (VPN ports)..."
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT iptables -A INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT

echo -e ""
echo -e "Allowing TCP traffic on the external interface (VPN ports)..."
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT

echo -e ""
echo -e "Time to load the NAT modules if it hasn't already been inserted..."
modprobe iptable_nat

echo -e ""
echo -e "Setting FORWARD'ed packets to drop unless there's an ongoing conn..."
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo -e ""
echo -e "Setup the NAT'ing (MASQ) from eth0 to br0..."
iptables -t nat -A POSTROUTING -o eth0 -s 172.27.20.0/24 -j MASQUERADE

echo -e ""
echo -e "Allowing traffic to freely flow on the br1 interface..."
iptables -A INPUT -i br1 -j ACCEPT
iptables -A OUTPUT -o br1 -j ACCEPT

echo -e ""
echo -e "Allowing traffic to freely flow on the br0 interface..."
iptables -A INPUT -i br0 -j ACCEPT
iptables -A OUTPUT -o br0 -j ACCEPT

echo -e ""
echo -e "Done the configuration... relax!"

[hyperspace]

I must be blind. I don't see the statement about your issue/problem.

[josh_b]

Quote:

Originally Posted by hyperspace

I must be blind. I don't see the statement about your issue/problem.

Sorry, my bad. It was a long night last night, hence the omission.

Essentially, once the script runs, despite confirming all links are up, there is no internet access. All the interfaces are up, and I can ping amongst the host(s) and the VMs as well as any other devices on the 172.27.20.0/24 network. The eth0 interface gets a DHCP address from Rogers successfully, and I can browse from the host machine. Any other machines get sporadic access or none at all!

The worst thing is that the OS on vmnet0 works 99% of the time, but the device on vmnets 1 and 2 do not. My wife's laptop does not either. This doesn't make sense!

[josh_b]

In fact, even on the machines where it sometimes works, the internet is incredibly slow.

I know it must be perhaps the order or possibly the combination of rules I am using. If someone has any tips, please feel free.

[hyperspace]

No worries, Mate! I'm no iptables or VM expert but I just wanted to make sure that those who are, would have all the necessary information.

[josh_b]

Quote:

Originally Posted by hyperspace

No worries, Mate! I'm no iptables or VM expert but I just wanted to make sure that those who are, would have all the necessary information.

Me neither... now look what trouble I've gotten into.

I'm consolidating five servers into a single quad-core Phenom with 8GB RAM and four 750GB drives. :-)

[josh_b]

Anyone? Please help!