Hi All:
Made some progress on running my Vservers on a subnet (thanks Bertl for
suggestions), but can still access the login page from guests to my
router which I'd like to prevent. Is the trick here to create another
IPTable rule?
I'm connecting to guests over the net that run Gnome and ssh.
Steps:
- created subnet in /etc/network/interfaces on the host
auto dummy0
iface dummy0 inet static
address xxx.xxx.xxx.xxx
netmask xxx.xxx.xxx.xxx
- changed entries in vserver dev and ip (dev to dummy0, ip to new ip
using subnet)
- changed IP in vserver "hosts" on guest to new IP, as well as ssh
Listen Address on guest to new IP
- ran "echo >1 >/proc/sys/net/ipv4/ip_forward
- ran "iptables -t nat -I POSTROUTING -s GuestAddress ! -d
GuestAddress -j SNAT --to HostAddress"
I can see that I'm running a new IP in the guest that's on a different
subnet. I can connect (wuwho) but if I enter the address of my router
from the guest browser, I still get to the router login page.
Q: Do I need to add another IPTable rule? I don't want to block the
host's ability to get to the router, just the guests'.
Suggestions appreciated...thanks!
On 12/08/13 15:23, Herbert Poetzl wrote:
> On Sun, Dec 08, 2013 at 02:11:27PM -0500, Ted Barnes wrote:
>
>> Hi All:
>>
>
>> I've noticed that on a guest browser, I can access the login
>> page for the router which I'd prefer not to be possible.
>>
> From this vague statement, I conclude the following:
>
> - You have a router which can be configured over ethernet
> on the same network your host/guest is on, probably
> something like an ADSL router.
>
> - You have a guest running on the same subnet as your host
> - Your guest has a web browser installed :)
>
>
>> Q: Is there a common way to prevent this?
>>
> There are actually a bunch of ways to prevent this:
>
> - Configure the router not to allow your guest's IP
> - Configure the firewall on the host to block the guest
> - Use a separate (non routed) network for the guest
> - Add a separate firewall to the setup
>
>
>> Can guests be run on a different subnet than the host?
>>
> No, but you can have two different subnets on the host
> and use one of them only for the guest.
>
>
>> Or is there another approach that's the "right" way to do this?
>>
> Usually private addresses for guests in combination with
> proper NAT/Masquerading setups on the host are the most
> efficient way to deal with this and many other 'problems'
>
> HTH,
> Herbert
>
>
>> Thanks!
>>
Received on Tue Dec 10 19:49:00 2013