13,420
edits
Changes
no edit summary
# Make a new chain named '''MYICMP'''.
# Add a rule to the beginning of the '''INPUT''' chain to send '''ICMP''' packets to your '''MYICMP''' chain.
# Find a partner and get the ipaddress and MAC address of their '''external facing interface''' (Google this term to determine that public IP Address) .
# Add a rule to your '''MYICMP''' chain that allows '''ICMP''' packets coming in from '''192.168.X.0/24''' (i.e. your internal network).
# Add a rule to the beginning of your '''MYICMP''' chain that denies '''ICMP pings''' originating with MAC address of your partner's machine.
# Add a rule to the beginning of your '''MYICMP''' chain that denies '''ICMP pings''' originating with IP address of your partner's machine.
# Issue '''iptables -L -v''' to view your firewall rules for your newly-created chains.
# Have your partner attempt to connect to your machine using the '''external facing address''' (Google this term to determine that public IP Address) to ensure your rules are working.<br />They should not be able to connect, and the counters in iptables should show that packets are being caught in your MYICMP and MYSSH chains. Your system logs should also show their failed attempts to ssh to you.
# When you are confident the rules are working, save them by running <source lang='bash'>iptables-save > /etc/sysconfig/iptables</source><br />Note that this should not include the rules from the virtual network. They will always be added automatically when libvirtd starts.
# Now start libvirtd again, and test that your firewall still allows the VMs to connect to the host and each other (ping and ssh). Do not continue until it works.
