Iptables

sc754

Hi,

Does anyone know how I can get iptables to drop outgoing traffic for a specific internal ip on a bridge. In this case the bridge is vmbr2 which has range 192.168.0.0/24, I'd like to allow incoming connections and the local lan still but prevent it from having access to the internet. Any ideas?

FrankZ

iptables -t filter -A OUTPUT -s 192.168.0.x ! -d 192.168.0.0/24 -o vmbr2 -j DROP

or

iptables -t filter -A OUTPUT -m state -s 192.168.0.x ! -d 192.168.0.0/24 -o vmbr2 ! --state ESTABLISHED,RELATED -j DROP


Edit: added allow local network

sc754

@FrankZ said:
iptables -t filter -A OUTPUT -s 192.168.0.x ! -d 192.168.0.0/24 -o vmbr2 -j DROP

or

iptables -t filter -A OUTPUT -m state -s 192.168.0.x ! -d 192.168.0.0/24 -o vmbr2 ! --state ESTABLISHED,RELATED -j DROP


Edit: added allow local network

Thanks for the info but I tried it and it didn't work. I'm not sure how proxmox routes the outgoing traffic. I have the main adapter eth0, with the default bridge vmbr0 in proxmox. But I setup a new bridge vmbr2 with this:

auto vmbr2

iface vmbr2 inet static

address 192.168.0.254

netmask 255.255.255.0

bridge_ports none

bridge_stp off

bridge_fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward

post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j 

MASQUERADE

post-up /home/ports.sh

post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE

I've tried it without the MASQUERADE but it still connects to the internet when I assign it an ip. Could I stop outgoing traffic on the host with iptables or do I need to change the bridge somehow?

FrankZ

Your right, it will not work

If you are using openVZ containers and have added the IP for the container using the web panel, then Proxmox will normally route all containers through vmbr0.