Firewall

[rlocone]

Hello All,

I've been trying to get a firewall to work with Proxmox. The example here in the forums don't help.

auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.0.0.5
netmask 255.255.255.0
gateway 10.0.0.1
bridge_ports eth0
bridge_stp off
bridge_fd 0

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth1
bridge_stp off
bridge_fd 0

I have an cable internet connection "dhcp" ethernet. The firewall can't pull in the ip from the internet connection. If I setup the vmbr1 to dhcp then Proxmox will get the external ip from eth1. But still the firewall can't pull in the address for vmbr1. I tried using different nic cards (.e.g., virto, rt8189) Tried different firewall packages still behave the same.

Thanks kfor your time & attention,

 

[sircolin]

I presume your still bashing away at trying to install a firewall inside a virtual container (and not the Proxmox Host) i've not heard of anyone that has done this so far, your most likely to be on your own and without help on this setup.

I would advise you to use / look at shorewall or fridu firewall on your host node.

By reading through the above links you may get some idea's.

Col

 

[rlocone]

I'm trying this now on KVM.

 

[Squeezer]

I have my Proxmox server with 2 nics. It has an IP of 10.1.3.3. I have a Linux firewall running Fedora 14 w/ iptables as the ip of 10.1.3.1 as a KVM virtual machine on the Proxmox server and my setup works fine. Let me know what information you need.

 

[rlocone]

I have it like this:
Proxmox: 10.0.0.5
Firewall: 10.0.0.1

Still having trouble pulling in the ip from my modem.

 

[Squeezer]

have your firewall VM pull the IP from the modem via DHCP, not your proxmox server. Your Firewall should use both NICs in the proxmox server. you have to hand edit the files.

proxmox:~# cat /etc/qemu-server/101.conf
name: missioncontrol.squeezer.net
ide2: cdrom,media=cdrom
vlan0: e1000=D2:C7:1C:A1:2A:2B
vlan1: e1000=8A:F3:C2:81:CB:BE
bootdisk: ide0
ostype: l26
ide0: local:101/vm-101-disk-1.raw
memory: 512
onboot: 1
sockets: 2
cores: 1

then your firewall will use vmbr0 on vlan0 as eth0 and vmbr1 on vlan1 as eth1. then have your firewall grab the IP from the modem using DHCP on the NIC that is connected to the modem. I'll paste my /etc/network/interfaces file:


proxmox:~# cat /etc/network/interfaces
# network interface settings
auto lo
iface lo inet loopback
iface eth0 inet manual
iface eth1 inet manual
auto inet
iface inet inet manual
auto static
iface static inet manual
auto vmbr0
iface vmbr0 inet static
address 10.1.3.3
netmask 255.255.255.0
gateway 10.1.3.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
auto vmbr1
iface vmbr1 inet static
address 192.168.1.2
netmask 255.255.255.0
# gateway 192.168.1.254
bridge_ports eth1
bridge_stp off
bridge_fd 0
iface dummy0 inet manual
auto vmbr2
iface vmbr2 inet static
address 10.1.4.1
netmask 255.255.255.0
# gateway 10.1.4.1
bridge_ports dummy0
bridge_stp off
bridge_fd 0
post-up route add -net 10.1.4.0 netmask 255.255.255.0 gw 10.1.4.1

and on my Fedora 14 firewall, here's eth0 and eth1:

[root@missioncontrol public_html]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
BROADCAST=10.1.3.255
IPADDR=10.1.3.1
NETMASK=255.255.255.0
NETWORK=10.1.3.0
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
[root@missioncontrol public_html]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
# Networking Interface
DEVICE=eth1
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
PEERDNS=yes
PEERROUTES=yes
DHCP_HOSTNAME=missioncontrol.squeezer.net
NAME="System eth1"
UUID=9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04
[root@missioncontrol public_html]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=missioncontrol.squeezer.net