Hi Guys!
i need some help, and look i'm not sure if this the best place for this question or no.
I have dedicated server, and inside of my server im runing VM with KVM (Qemu libvirt).
everything is working how suppose to be, without any problem.

But i need to secure, my server with some iptables firewall.
The problems im having is while i type my rules on iptables, i dont get connection to vm.
Please check bellow my rules,

*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
 -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
 -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# Allow smtp and pop connections from anywhere
# (the normal ports for web servers).
 -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# Allow imap and pop connections from anywhere
 -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

 -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

# Allow sftp and pop connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT

# Allow dns  connections from anywhere
 -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
 -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

#Prevent DoS Attack
 -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

# Allow Bridge Traffic.
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT

# Reject all other inbound.
-A INPUT -j REJECT


# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

what i want is enable connection to my subnets on my bridged.
My network look like this

br0       Link encap:Ethernet  HWaddr 44:8A:5B:D8:84:8F  
          inet addr:46.X.XXX.XX  Bcast:46.X.XXX.XX  Mask:255.XXX.XXX.XXX
          inet6 addr: fe80::468a:5bff:fed8:848f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2962 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3194 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:324568 (316.9 KiB)  TX bytes:268232 (261.9 KiB)

br0:1     Link encap:Ethernet  HWaddr 44:8A:5B:D8:84:8F  
          inet addr:88.1XX.XXX.XXX  Bcast:88.1XX.XXX.XXX  Mask:255.255.255.XXX
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 44:8A:5B:D8:84:8F  
          inet6 addr: fe80::468a:5bff:fed8:848f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3114 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3197 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:377678 (368.8 KiB)  TX bytes:268594 (262.2 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2433 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2433 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:126920 (123.9 KiB)  TX bytes:126920 (123.9 KiB)

Can someone please help setting my firewall.
Regards

Recommended Answers

All 3 Replies

Do:

iptables -f

inside ssh to the server then:

iptables save

Duncan,
are you for really!
you telling me to flush the the firewall????
and after flash what happens.
like you telling me to leave the firewall blank, and let it open for any one.
just for update i figured out and the firewall is working and enabling connection to vms,
only problem i have now, when i activate the firewall, i lock my self, and i cant access the server via ssh.
but i'm busy now and i cant post the iptables rules i'm using now.
soon i'll be free i'll update the post

You'd definitely want to immediately re-activate your firewall. The reply above is incomplete.

You may want to consider using a firewall front-end, a GUI application that can make it easier to configure iptables.

What Linux distribution are you using? Once that's known, it can be easier to find a front-end for iptables.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.