Strangely appvms that are marked and not "Allow connections to updates proxy" are still able to reach the tinyproxy, despite the iptables rules:
[root@sys-fw ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 217 ACCEPT tcp -- vif+ * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082
0 0 DROP udp -- vif+ * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
129 25433 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 264 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 208 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 172.16.0.0/16
0 0 ACCEPT all -- * * 172.16.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.0.0/16
0 0 ACCEPT all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0
16 1136 DROP all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- vif0.0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- vif+ vif+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 10.137.2.9 10.137.1.1 udp dpt:53
0 0 ACCEPT udp -- * * 10.137.2.9 10.137.1.254 udp dpt:53
0 0 ACCEPT tcp -- * * 10.137.2.9 10.137.1.1 tcp dpt:53
0 0 ACCEPT tcp -- * * 10.137.2.9 10.137.1.254 tcp dpt:53
0 0 ACCEPT icmp -- * * 10.137.2.9 0.0.0.0/0
0 0 DROP tcp -- * * 10.137.2.9 10.137.255.254 tcp dpt:8082
0 0 ACCEPT all -- * * 10.137.2.9 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
111 13152 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 264 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
25 1493 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
1 42 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:1197
26 1646 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "iptables_OUTPUT_denied: "
[user@untrusted ~]$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:16:3e:5e:6c:07 brd ff:ff:ff:ff:ff:ff
inet 10.137.2.9/32 brd 10.255.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe5e:6c07/64 scope link
valid_lft forever preferred_lft forever
So the untrusted appvm (10.137.2.9) is able to reach the tiny proxy (10.137.255.254) on port 8082, despite the drop rule on the FORWARD chain on the sys-fw :
" 0 0 DROP tcp -- * * 10.137.2.9 10.137.255.254 tcp dpt:8082"
[user@untrusted ~]$ telnet 10.137.255.254 8082
Trying 10.137.255.254...
Connected to 10.137.255.254.
Escape character is '^]'.
I confess I'm a bit baffle by this, the only thing I'm using on the sys-fw but that doesn't explain why the iptables rule is being ignored.
Does anyone knows why is this happening?
Thank you
----
Sent using Guerrillamail.com
Block or report abuse: https://www.guerrillamail.com//abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D
So what is the option "Allow connections to update proxy" doing if the INPUT chain allows all traffic destined to 10.137.255.254 ?
Isn't this a flaw? Is there a way to avoid this?
I set this up by myself because I want to force all the traffic to go through the vpn (that is installed on the sys-fw). I've created a custom iptables rule white-listing all traffic originated from the templateVMs on dport 8082 and now it works as expected!
Many thanks for the valuable help Unman!
Btw, strangely when the vpn is first set via the networkmanager that INPUT rule that white-lists everything to the dport 8082 is created. However when after that another AppVM is started the rule is trashed.
Any idea why this is happening?
Many thanks!