I'm trying to setup IPTABLES on my xen host server that will block incoming and/or outgoing access to a xen client on the same machine. Specifically, I need to block outgoing port 25 traffic and incoming port 53 traffic to a specific container.
Regular IPTABLE rules only appear to affect traffic going to the host — not the xen client.
For my server, eth0 is the internal network, eth1 is the external.
The following rule set seems like it should work, but the container is not affected at all:
iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED,RELATED –sport 25 -d -j REJECT iptables -A INPUT -p tcp -m state –state NEW,ESTABLISHED,RELATED –dport 53 -d -j REJECT iptables -A INPUT -p udp -m state –state NEW,ESTABLISHED,RELATED –dport 53 -d -j REJECT
So basically, how do I setup an IPTABLE rule that will apply to the xen client instead of the xen host?
Thanks
Best Answer
This rule worked ion my installation:
Notice that netfilter reads rules top-to-bottom and if you have a rule permitting all traffic to this client above (iptables -A adds rule to the end of the table), this new rule won't be reached and won't have effect.
I didn't understand why you use "state" module if you a listing all valid states? It just uses CPU time and has no effect IMHO.
Next, I'm not sure, what is the goal of blocking traffic, going from port 25. If you client sends ab e-mail, he connects to remote server's port 25 but uses one of local ports (32k..64k by default) on his side. Couldn't you explain, what do you want to get as a result?