Security – configure iptables to allow in/out bound connections from the WAN (web) and only a couple pcs on the LAN while blocking anything else

httpdiptablesSecurityvirtual-machinesxenserver

I have a Xen server with several Virtual Machines on it sitting along side normal pcs on my LAN. The VMs host content bound for web access. Httpd is one of them so lets use that as an example.

I would like to configure iptables (or my network) as such:

  1. Allow loopback 

    -A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

  2. Allow port 80 In/out-bound connections from/to the WAN (web).

  3. Allow port foo In/out-bound traffic to/from a whitelisted computer on the LAN, while denying the rest of the LAN.

    #allow one ip with port foo
-A INPUT -i eth0 -p tcp -s 192.168.0.w --dport foo -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport foo -m state --state ESTABLISHED -j ACCEPT

#block the rest of the lan
-A INPUT -i eth0 -m iprange --src-range 192.168.1.x-192.168.1.y -j DROP
-A OUTPUT -o eth0 -m iprange --src-range 192.168.1.m-192.168.1.n -j DROP

  4. DENY all other traffic of type.

    -P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

Essential I would like my VMs only to be able to talk to the Web and other VMs (in a certain block range on the LAN). Is this possible just using iptables? If not how would I achieve this?

My current iptables look as such (most of which was pre-generated by centos):

# Generated by iptables-save v1.4.7 on Tue Mar 12 10:43:43 2013                 
*filter                                                                         
:INPUT ACCEPT [0:0]                                                             
:FORWARD ACCEPT [0:0]                                                           
:OUTPUT ACCEPT [0:0]                                                          
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT                         
-A INPUT -p icmp -j ACCEPT                                                      
-A INPUT -i lo -j ACCEPT                                                        
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT                
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT             
-A INPUT -j REJECT --reject-with icmp-host-prohibited                           
-A FORWARD -j REJECT --reject-with icmp-host-prohibited                         
COMMIT                                                                          
# Completed on Tue Mar 12 10:43:43 2013

Currently with my development boxes I can access my content, but I'm looking to harden my network, and protect my non-server pcs. And I haven't had enough experience with iptables to trust my self with this.

Thanks in advance.
P.S. I also need to take into consideration network communication between Dom0 and the VMs.

Best Answer

At the first glance suggested rules seem to be fine. But do not forget to allow DNS-traffic - destination UDP port 53 to your DNS-servers on WAN.

Related Topic