Firewall advice

[gumballer]

Hi,

My understanding of network bridges is not great and I have done the following setup but I'm not sure how to now add firewall protection to my proxmox box. Any advice would be appreciated.

My setup:

Proxmox installed on a Physical Machine with 2 physical NIC's and configured to use eth0 bridged to vmbr0 for LAN and eth1 bridged to vmbr1 for WAN.

Virtual Machine installed in proxmox to be a Firewall and VPN server. Shorewall installed as the firewall and configured to provide NAT for the LAN.
All of the above is working fine however I'm aware that this configuration is not protecting the proxmox server itself.

How can I ensure that WAN traffic is passed through/between eth1 to vmbr1 without proxmox being exposed to the traffic?

WAN is an ADSL router with IP 192.168.0.1 setup to DMZ to all traffic to 192.168.0.254
Proxmox network configuration settings:

[FONT=courier new]# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.10
        netmask 255.0.0.0
        network 10.0.0.0
        broadcast 10.255.255.255
        gateway 10.0.0.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        address 192.168.0.254
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0[/FONT]

 

[mo_]

you can skip using an extra VM for firewalling, its unnecessary overhead. both port access as well as NAT and/or ipv6 forwarding can be done by ip(6)tables running on the host node.
utilizing a VM to handle traffic to the machine even complicates things as it introduces another dependancy whereas networking to the host and all the VMs depends on the firewall VM running / booting up properly

 

[mir]

A firewall IMHO should always be installed on a dedicated psychical device. For restriction to the nodes itself IPTables is sufficient. My nodes are all connected to an internal network on one of the bridges (vmbr0) for access to UPS, NTP etc. So on each node I have this little iptables script which is executed when booting the node:

#!/bin/sh


iptables -F INPUT


# Block all input on vmbr0 except https(8006) and apcups(udp:3551)
iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state --state NEW -j ACCEPT
# vnc-console
iptables -A INPUT -i vmbr0 -p tcp -m multiport --dports 5900:5910 -m state --state NEW -j ACCEPT
iptables -A INPUT -i vmbr0 -p udp -j ACCEPT
iptables -A INPUT -i vmbr0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i vmbr0 -j DROP

 

[mir]

The script was actually not bullet proof so here are a more correct version with comments:

#!/bin/sh


iptables -F INPUT


# Block all input on vmbr0 except
# https(8006)
iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state --state NEW -j ACCEPT
# vnc-console (5900-5910)
iptables -A INPUT -i vmbr0 -p tcp -m multiport --dports 5900:5910 -m state --state NEW -j ACCEPT
# apcups (udp:3551)
iptables -A INPUT -i vmbr0 -p udp --dport 3551 -m state --state NEW -j ACCEPT


# Related traffic to the above
iptables -A INPUT -i vmbr0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i vmbr0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT


# Drop everything else
iptables -A INPUT -i vmbr0 -j DROP

 

[mo_]

A firewall IMHO should always be installed on a dedicated psychical device.

I agree, any real IT infrastructure will probably have at least level 3 switches with access lists, if not some nasty DPI system like a palo alto. However the OP made it sound like hes got some kind of singular external server, i.e. he probably doesnt have access to the connecting network hardware, which is why he needs on-system firewalling.

 

[gumballer]

Thanks for the feedback.

I also agree that a firewall should be on a dedicated device however I'm not in a position to have that luxury

I realised that I should have put the firewall on the host node after I had set it up on the VM but was trying to save myself some work by independently locking down the proxmox host and keeping what I had done. However I think I have also worded my question poorly.

What I was trying to work out is the relationship of eth1 and vmbr1 when creating rules (think I may need to read more about bridging). When eth1 is bridged to vmbr1 do I need to set rules for both to protect the host or does eth1 become redundant leaving only vmbr1 in need of protection? i.e. are any rules likely to block traffic between physical NIC eth1 and the Virtual Bridge vmbr1.

 

[mo_]

once you bridge your physical interface to something, the bridge will get the IP address the ethX device used to have and theres no need to set up rules for ethX anymore.

also this depends largely on your setup, but you may not even need to specify in/out devices in your rules, because generally traffic destined for the host will hit the INPUT policy whereas traffic for the VMs will hit the FORWARD chain

 

[gumballer]

Thanks,

I think that gives me enough to get my setup right.

 

[mir]

If you don't assign an IP to the bridge, meaning the host will not be accessible on this bridge from the network, then you don't need to make any rules for this interface vis-a-vis the host but to be able to access VM's on this interface from the outside you might need some rules for this task depending on your network setup and other routing an firewall setup.

 

[gumballer]

If you don't assign an IP to the bridge, meaning the host will not be accessible on this bridge from the network, then you don't need to make any rules for this interface vis-a-vis the host but to be able to access VM's on this interface from the outside you might need some rules for this task depending on your network setup and other routing an firewall setup.

If I remove the IP on the bridge vmbr1 then proxmox does not enable the bridge and VM's fail to start with the error "bridge 'vmbr1' does not exist". I have changed my settings above as follows. Have I misunderstood what you are saying about not assigning an IP to the bridge?

[FONT=courier new]# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual
iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.10
        netmask 255.0.0.0
        network 10.0.0.0
        broadcast 10.255.255.255
        gateway 10.0.0.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet static
        [COLOR=#ff0000]# address 192.168.0.254
        # netmask 255.255.255.0[/COLOR]
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0[/FONT]

 

[snowman66]

auto vmbr1
iface vmbr1 inet static
     bridge_ports eth1
     bridge_stp off
     bridge_fd 0

[FONT=courier new]auto vmbr1
iface vmbr1 inet static
        [COLOR=#ff0000]# address 192.168.0.254
        # netmask 255.255.255.0[/COLOR]
        [COLOR=#008000]#network 192.168.0.0
        #broadcast 192.168.0.255
        #gateway 192.168.0.1[/COLOR]
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0[/FONT]

 

[gumballer]

Thanks snowman66 however this still does not change anything, the vmbr1 is still inactive without an IP address and the VM's still fail to start due to vmbr1 not existing!

 

[gumballer]

Ok I found the problem - static needed to be changed to manual as well as removing the IP

[FONT=courier new]auto vmbr1
iface vmbr1 inet [COLOR=#ff0000]manual[/COLOR]
        # address 192.168.0.254
        # netmask 255.255.255.0
        #network 192.168.0.0
        #broadcast 192.168.0.255
        #gateway 192.168.0.1
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0[/FONT]