Simple firewall for Proxmox 2.2 OpenVZ MVs

[juanmaria]

Hi,

I'm new here, I've got a server at OVH with Proxmox 2.2-24 which I'm setting up.

I'm going to have a couple of bridged KMV MVs, each one with their own iptables firewall, and a few routed OpenVZ MVs which I'd like to protect with a generic firewall on the host server.

I've seen a post about firewall recomendations but it's from 2010 and I understand for version 1. I've read a few webpages about this subject but I haven't found nothing as simple as I'd like.

Could anyone reccomend me an Iptables script or something simple which I could use as a foundation for my own firewall.

Thanks in advance.
Juan María.

 

[Riotvan]

I'm using Shorewall and it works fine. If you read the guide at http://www.shorewall.net/standalone.htm carefully you should have no problems.

 

[juanmaria]

Thank you Riotvan,

I'm familiar with Shorewall but, since I'm using a hired server on OHV, I was looking for something simpler so, in case of a disaster, I wouldn't have to install and configure so much packages and be online again as soon as posible.

I'm reading the document at http://wiki.openvz.org/Setting_up_an_iptables_firewall hoping it would be aplicable to a Proxmox server.

 

[tictactoe]

I used the scripts Fridu's VM-Firewall provide on this url : http://www.fridu.org/fulup-posts/40-hosting-a-sysadmin/79-virtualization-firewall
It's old but it's run smoothly

 

[juanmaria]

Thank you tictactoe,

This very afternoon I'm trying the solution at: http://wiki.openvz.org/Setting_up_an_iptables_firewall#Setting_up_a_HN-based_firewall that is quite simple, depending on the results I'd give a try to the Fridu firewall.

 

[juanmaria]

Hi again,

I finally made a few modifications to the one at: http://wiki.openvz.org/Setting_up_an_iptables_firewall#Setting_up_a_HN-based_firewall and it works quite well with my host and muy routed VMs.

My bridged VMs are KMV han have their own firewall script so I'm fine with this setup.

 

[bluebirdnet]

Hi Juan,

I am also going to have the same need and with ovh also!

Do let us know how it went, im looking at vm-firewall from Fridu or other solution.

Denny

 

[juanmaria]

Hi bluebirdnet,

It went quite well, I had to make a some changes but now it's working fine.

I also had to change a few settings on my NFS configuration because I've hired an USB 2Tb HDU that I'm sharing via NFT with the MVs, I add to /etc/default/nfs-kernel-server the following:

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020

I divided the original script in two, one to make the service start, stop, etc. functions and the other with the firewall code.

I also included a new option on the VM configuration files to enable ping to a MV.

I've got all my scripts and configurations on a directory named /etc/olinet so I changed the location of the VMs scripts inside.

This is the firewall:

/etc/olinet/firewall.init.d

#!/bin/bash
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $local_fs $network $syslog           
# Required-Stop:     $local_fs $network $syslog           
# Default-Start:     2 3 4 5     
# Default-Stop:      0 1 6
# Short-Description: Start/stop firewall
### END INIT INFO#
#
# Script de startup para lanzar firewall del Host Node
#
# Basado en: http://wiki.openvz.org/Setting_up_an_iptables_firewall#Setting_up_a_HN-based_firewall
#
# Adaptado para Debian LSBInitScripts
#
# Extraído casi todo el código a un script externo /etc/olinet/firewall.script
# dejo aquí lo imprescindible para manejar el servicio
#
FIREWALL='/etc/olinet/firewall.script'
#
success() {
   echo -n "...success"
} 
#
failure() {
   echo -n "...failure"
}
purge() {
  echo -n "Firewall: Purging and allowing all traffic"
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P INPUT ACCEPT
  iptables -F
  success ; echo
}
#
case "$1" in
  start)
    echo "Starting firewall..."
    purge
    if [ -f $FIREWALL ]; then
    $FIREWALL
    fi    
    ;;
  stop)
    echo "Stopping firewall..."
    purge
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  status)
    iptables -n -L
    ;;
  *)
    echo "Usage: $0 <start|stop|restart|status>"
    ;;
esac

/etc/olinet/firewall.script

#!/bin/bash

################################################################################
#     FIREWALL PARA HOST PROXMOX (SOLO HOST Y MVs ROUTED                       #
#     Juan Maria Gil                                                           #
#     Basado en: http://wiki.openvz.org/Setting_up_an_iptables_firewall        #
################################################################################
# This script sets up the firewall for the INPUT chain (which is for
# the HN itself) and then processes the config files under
# /etc/olinet/firewall.d to set up additional rules in the FORWARD chain
# to allow access to containers' services.
################################################################################
#
# Funciones de display de mensajes
#
success() {
   echo -n "...success"
} 
failure() {
   echo -n "...failure"
}
################################################################################
#
#
WAN_INTERFACE=vmbr0
#
# IPs/Redes con full access
#
DMZS="w.x.y.z/32
w.x.y.z/32"
#
#
# IPs/Redes contenedores
#
CT_NETS="w.x.y.z/30
w.x.y.z
w.x.y.z
w.x.y.z"
#
# The IP used by the hosting server itself
#
THISHOST="w.x.y.z"
THISHOST_24="w.x.y"
#
# Puertos que se abrirán a todo el mundo (de momento ninguno)
# 
# OKPORTS="53"
#
echo -n "Firewall: Setting default policies to DROP"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT   -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I INPUT -j ACCEPT -i lo
success ; echo
#
# Añadimos los permisos para que funcione correctamente la monitorización de OVH
# También le damos acceso ssh para los técnicos
#
echo -n "Firewall: Configuring permisions for OVH monitoring"
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.p19.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.rbx.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.rbx2.ovh.net -j ACCEPT 
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source ping.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source ${THISHOST_24}.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source ${THISHOST_24}.249 -j ACCEPT # temporary, only for HG server
iptables -A INPUT -i $WAN_INTERFACE -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
success ; echo
#
# Permiso de forward y de nfs a los containers
#
echo "Firewall: Configuring permisions to containers"
for net in $CT_NETS ; do
  echo -n "          NFS/FORWARD $net"
  iptables -I FORWARD -j ACCEPT --source $net
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 111
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 111
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 2049
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 32803
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 32769
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 892
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 892
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 875
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 875
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 662
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 662
  success ; echo
done
#
# Permiso a los puertos abiertos del HN (De momento deshabilitado) 
#
echo "Firewall: Allowing access to HN"
# for port in $OKPORTS ; do
#   echo -n "          port $port"
#   iptables -I INPUT -j ACCEPT -d $THISHOST --protocol tcp --destination-port $port
#   iptables -I INPUT -j ACCEPT -d $THISHOST --protocol udp --destination-port $port
#   success ; echo
# done
#
# Permiso full a las IPs/Redes autorizadas
#
for ip in $DMZS ; do
  echo -n "          DMZ $ip"
  iptables -I INPUT   -i $WAN_INTERFACE -j ACCEPT -s $ip
  iptables -I FORWARD -i $WAN_INTERFACE -j ACCEPT -s $ip
  success ; echo
done
#
# Chequeo de los permisos específicos para cada container
#
CTSETUPS=`echo /etc/olinet/firewall.d/*`
if [ "$CTSETUPS" != "/etc/olinet/firewall.d/*" ] ; then
echo "Firewall: Setting up container firewalls"
for i in $CTSETUPS ; do
  . $i
  echo -n "          $CTNAME CT$CTID"
  if [ -n "$BANNED" ]; then
    for source in $BANNED ;  do iptables -I FORWARD -j DROP --destination $CTIP --source $source ; done
  fi
  if [ -n "$OPENPORTS" ]; then
    for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --destination-port $port ; done
    for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --destination-port $port ; done
  fi
  if [ -n "$DMZS" ]; then
    for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --source $source ; done
    for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --source $source ; done
  fi
  if [ -n "$PING" ]; then
    iptables -I FORWARD -j ACCEPT --destination $CTIP -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED 
  fi
  [ $? -eq 0 ] && success || failure
  echo
done
fi
################################################################################
#     FIN FIREWALL                                                             #
################################################################################

/etc/olinet/firewall.d/some_mv_script

# This file is processed by /etc/init.d/firewall
CTID="102"            # the container's ID#
CTNAME="nameserver"        # A human-friendly label for the container
CTIP="w.x.y.z"            # the IP address for this container 
OPENPORTS="53"            # ports that should be universally opened
                # to the entire Internet
DMZS=""                # IPs and blocks that should have full access
                # to the container's services
BANNED=""            # IPs and blocks that should be entirely
                # blocked from the container's services
PING="x"            # Set this variable to anything to enable ping

To install it I made the following:

ln -s /etc/olinet/firewall.init.d /etc/init.d/firewall
insserv -v firewall

Hope it helps you.

Greetings from Spain.
Juan María.

 

[bluebirdnet]

Hey Juanmaria,

thanks for the info! glad it went well.

I ended up going with Shorewall, was simple enough for my needs.

with OVH dont forget to allow ICMP from their hosts so they can monitor your server.