Suggestion for Proxmox software firewall

T

tabbi

New Member
Jul 30, 2011
25
0
1
I have a ProxMox VE server running without a physical firewall in front of it. I know that this would be better, but by now it isn´t possible.

I want to use KVM and OpenVZ machines on the ProxMox host. What can I do to protect ProxMox and the virtual machines in the best way?
 
try shorewall, there are several howto and tip in the web
 
Thanks for your answers. I now tried for days to implement shorewall on ProxMox correctly. The basis configuration works (protection of the host node, only access to SSH and web frontend). But accessing the virtual machines doesn´t.

I tried some guides (http://www.myatus.com/2009/08/31/guide-firewall-and-router-with-proxmox/, http://www.montanalinux.org/proxmox-ve-with-shorewall.html, http://wiki.nodomain.cc/hosting-mit-proxmox-auf-hetzner-eq6#shorewall-konfiguration) without success.

Below is the current configuration. Pinging the IP EXTERNAL_IP_FOR_VMID_101 doesn´t work from outside as well as accessing the web server of that virtual machine.

Have you any idea what can help solving this?

Code: 
#ls -la /etc/shorewall
total 36
drwxr-xr-x  2 root root 4096 2012-01-07 15:54 .
drwxr-xr-x 79 root root 4096 2012-01-07 15:13 ..
-rw-r--r--  1 root root  214 2012-01-07 15:11 interfaces
-rw-r--r--  1 root root  453 2007-11-08 17:21 Makefile
-rw-r--r--  1 root root  165 2012-01-07 15:32 masq
-rw-r--r--  1 root root  494 2012-01-07 15:12 policy
-rw-r--r--  1 root root  435 2012-01-07 15:37 rules
-rw-r--r--  1 root root 4004 2012-01-07 15:10 shorewall.conf
-rw-r--r--  1 root root  183 2012-01-07 15:11 zones
Code: 
# cat interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect          blacklist,nosmurfs
dmz     venet0          detect          routeback
dmz     vmbr0           detect          routeback,bridge
Code: 
# cat masq
#INTERFACE      SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
+eth0           10.0.1.101      EXTERNAL_IP_FOR_VMID_101
eth0            10.0.0.0/8

# LAST LINE -- DO NOT REMOVE
Code: 
# cat policy
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK

# From Firewall Policy
fw      fw      ACCEPT
fw      net     ACCEPT
fw      dmz     ACCEPT

# From DMZ Policy

dmz     dmz     ACCEPT
dmz     net     ACCEPT
dmz     fw      DROP            info

# From Net Policy
net     fw      DROP            info
net     dmz     DROP            info

# THE FOLLOWING POLICY MUST BE LAST
#
all     all     REJECT          info
Code: 
# cat rules
#ACTION          SOURCE     DEST       PROTO   DEST        SOURCE     ORIGINAL    RATE

# Permit access to SSH
SSH/ACCEPT       net        fw         -       -            -          -          6/min:5

# Permit access to Proxmox Manager and Console
ACCEPT           net        fw         tcp     443,5900:5999

# PING Rules
Ping/ACCEPT      all        all

DNAT            net     dmz:10.0.1.101  tcp     80      -       EXTERNAL_IP_FOR_VMID_101


# LAST LINE -- DO NOT REMOVE
Code: 
# cat shorewall.conf
###############################################################################
#  /etc/shorewall/shorewall.conf V4.0 - Change the following variables to
#  match your setup
#
#  This program is under GPL
#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
#
#  This file should be placed in /etc/shorewall
#
#  (c) 1999,2000,2001,2002,2003,2004,2005,
#      2006,2007 - Tom Eastep (teastep@shorewall.net)
#
#  For information about the settings in this file, type "man shorewall.conf"
#
#  Additional information is available at
#  http://www.shorewall.net/Documentation.htm#Conf
###############################################################################
#                      S T A R T U P   E N A B L E D
###############################################################################

STARTUP_ENABLED=Yes

###############################################################################
#                             V E R B O S I T Y
###############################################################################

VERBOSITY=1

###############################################################################
#                              C O M P I L E R
#      (setting this to 'perl' requires installation of Shorewall-perl)
###############################################################################

SHOREWALL_COMPILER=

###############################################################################
#                              L O G G I N G
###############################################################################

LOGFILE=/var/log/messages

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGRATE=

LOGBURST=

LOGALLNEW=

BLACKLIST_LOGLEVEL=

MACLIST_LOG_LEVEL=info

TCP_FLAGS_LOG_LEVEL=info

RFC1918_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

LOG_MARTIANS=No

###############################################################################
#       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
###############################################################################

IPTABLES=

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=""

MODULESDIR=

CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

RESTOREFILE=

IPSECFILE=zones

LOCKFILE=

###############################################################################
#               D E F A U L T   A C T I O N S / M A C R O S
###############################################################################

DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"

###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################

RSH_COMMAND='ssh ${root}@${system} ${command}'
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

###############################################################################
#                       F I R E W A L L   O P T I O N S
###############################################################################

IP_FORWARDING=On

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=No

RETAIN_ALIASES=No

TC_ENABLED=Internal

TC_EXPERT=No

CLEAR_TC=Yes

MARK_IN_FORWARD_CHAIN=No

CLAMPMSS=No

ROUTE_FILTER=Yes

DETECT_DNAT_IPADDRS=No

MUTEX_TIMEOUT=60

ADMINISABSENTMINDED=Yes

BLACKLISTNEWONLY=Yes

DELAYBLACKLISTLOAD=No

MODULE_SUFFIX=

DISABLE_IPV6=Yes

BRIDGING=No

DYNAMIC_ZONES=No

PKTTYPE=Yes

RFC1918_STRICT=No

MACLIST_TABLE=filter

MACLIST_TTL=

SAVE_IPSETS=No

MAPOLDACTIONS=No

FASTACCEPT=No

IMPLICIT_CONTINUE=Yes

HIGH_ROUTE_MARKS=No

USE_ACTIONS=Yes

OPTIMIZE=0

EXPORTPARAMS=Yes

EXPAND_POLICIES=Yes

KEEP_RT_TABLES=No

DELETE_THEN_ADD=Yes

MULTICAST=No

DONT_LOAD=

###############################################################################
#                       P A C K E T   D I S P O S I T I O N
###############################################################################

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

TCP_FLAGS_DISPOSITION=DROP

#LAST LINE -- DO NOT REMOVE
Code: 
# cat zones
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
dmz     ipv4
Code: 
# cat /etc/network/interfaces
# auto-generated system-config
# part of KDCTRL-NOC and FADC

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address EXTERNAL_IP_HOSTNODE
  netmask 255.255.255.0
  broadcast xxx.yyy.zzz.255
  gateway xxx.yyy.zzz.1

auto vmbr0
iface vmbr0 inet static
  address 10.254.254.254
  netmask 255.0.0.0
  broadcast 10.255.255.255
  bridge_ports none
  bridge_stp off
  bridge_fd 0
Code: 
# cat /etc/sysctl.conf
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 4 4 1 7

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
# and is not recommended.
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
#net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
#net.ipv4.icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
# kernel.maps_protect = 1

net.ipv6.conf.all.disable_ipv6=1
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back