DrMaxNix/xynat
0
0
Fork 0
Code Issues 1 Pull Requests Projects Releases 1 Activity
NAT with integrated firewall for use with VMs and containers
17 Commits 2 Branches 1 Tag 85 KiB
Shell 100%
main
Go to file
DrMaxNix 85ff6322c6 💬 update project description
2024-08-17 00:22:39 +02:00
lib 🧱 dont rely on dpkg 2024-08-07 18:41:17 +02:00
.editorconfig 🔧 add editorconfig 2024-05-18 21:42:56 +02:00
LICENSE 📄 add license 2024-05-18 21:43:33 +02:00
README.md 💬 update project description 2024-08-17 00:22:39 +02:00
VERSION initial codebase 2024-05-24 22:54:18 +02:00
xynat 📝 add usage examples 2024-08-16 23:16:44 +02:00

README.md

XYNat

NAT with integrated firewall for use with VMs and containers

Setup Instructions

Install required tools (Debian):

# apt update
# apt install grep sed iptables iproute2

Install required tools (Fedora):

# dnf install grep sed iptables iproute2

Clone git repository:

# cd /opt
# git clone https://git.tjdev.de/DrMaxNix/xynat.git

Usage

Usage: ./xynat [OPTIONS]

Options:
    -a, --add                  - Add new firewall                                        (default, fallback: MODE=start)
    -r, --remove               - Remove existing firewall                                (fallback: MODE=stop)

    -i, --iface=iface          - Interface name for virtual switch                       (required, fallback: IFACE)
    -s, --vm-address=ip        - IP address of virtual machine                           (required when adding new fw)
    -p, --public-ip=ip         - IP address to use for outgoing traffic and DNAT

    -b, --block=ip-or-net      - Block address(es) for all connections                   (multi-use allowed)

    -w, --allow=ip-or-net      - Allow local address(es) for all connections             (multi-use allowed)
    -x, --allow-in=ip-or-net   - Allow local address(es) for incomming connections only  (multi-use allowed)
    -y, --allow-host           - Allow local host for all connections
    -z, --allow-host-in        - Allow local host for incomming connections only

    -h, --help                 - Display this help message and exit
    -v, --version              - Display version information and exit

Examples:
    Add a new firewall and NAT for a VM which has IP address '192.168.234.2' and is a member of the bridge interface 'br2'
    All traffic to and from local addresses will be blocked; Traffic to public addresses will be allowed
        ./xynat --add --iface "br2" --vm-address "192.168.234.2"

    Same as first example, but use '192.168.123.99' as source address for outgoing connections
        ./xynat --add --iface "br2" --vm-address "192.168.234.2" --public-ip "192.168.123.99"

    Same as first example, but also block all traffic to and from '233.252.0.0/24'
        ./xynat --add --iface "br2" --vm-address "192.168.234.2" --block "233.252.0.0/24"

    Same as second example, but allow incomming and outgoing connections from host device
    The VM will also be accessible from devices in '192.168.137.64/30' via its public address
        ./xynat --add --iface "br2" --vm-address "192.168.234.2" --public-ip "192.168.123.99" --allow-host --allow-in "192.168.137.64/30"

    Remove all firewall and NAT rules for iface 'br2'
        ./xynat --remove --iface "br2"

Example /etc/network/interfaces

Host

auto br-vm-test
iface br-vm-test inet static
	bridge_ports none
	address 192.168.234.1
	network 192.168.234.0
	netmask 255.255.255.252
	pre-up /opt/xynat/xynat -s 192.168.234.2 -p 10.0.0.4 -x 10.0.0.0/8 -z
	post-down /opt/xynat/xynat

Guest

auto eth0
iface eth0 inet static
	address 192.168.234.2
	network 192.168.234.0
	netmask 255.255.255.252
	gateway 192.168.234.1