New to Prox - iptables - application firewalls

B

bdunbar

New Member
Aug 23, 2013
10
0
1
Hi,

I'm working for a startup. We're ready to move from AWS to our own self-hosted solution: three hypervisors running Prox, SAN storage.

My partner here has been running Prox for a few months in our lab environment. I've come to appreciate it's value, as well.

Last Friday a wrinkle was introduced into our hardware setup by management: system and application firewalls.

My first thought was to slap iptables on each container for the former, AppArmor for the latter. This seems to have worked 'ok' at my last employer, but that was using Solaris 10 and zone containers.

(Deploying and maintaining iptables/apparmor across 80-some containers won't be an issue: we've got ansible.)

Objections were raised: won't that be expensive and redundant for 80-some containers to run separate copies of iptables and app-armor? Wouldn't an appliance from [Barracuda, F5, Sonicwall] work better?

And I really don't know.

So: is there a cost to the hypervisor for each container to run iptables/app-armor?

Is there a better way to run 'app armor' or 'iptables' for all containers?
 
If you by container mean OpenVZ aka CT's then I see no reason to run iptables in each and every CT. In my opinion iptables for CT's should be configured and running on the nodes since every CT are already jailed so the iptables firewall is supposed to regulate access to and from the CT.

What benefit do you gain by running iptables inside a CT?
 
Roger. So the recommendation is to use iptables on the proxmox host/node, and to leave iptables unconfigured in the [OpenVZ] containers it runs...

Our hypervisors have 4 NIC cards; 2 will be bonded together and attach to the private ports of our switch (e.g. VLAN 10 10.0.0.0/24), the other 2 will be bonded together and attach to the public/WAN ports of our switch (e.g. VLAN 20, 20.0.0.0/24).

Is the idea to create a bridge on the proxmox host for EACH public IP address, to assign this bridge to its appropriate container (e.g. webserver-1), and then to apply iptables rules on the bridge to allow only designated traffic from the WAN (e.g. port 80, 443)?

So for instance:


# bond0 == private LAN (eth0 + eth1)
# bond1 == public WAN (eth2 + eth3)

## NOT sure how to setup bridge for bond0, would prefer that
## all VMs are assigned 10.0.0.<VM_ID> as their private interface
## ....

## Public Bridges, with IP tables filtering
# webserver-1, IP tables allows port 22,80,443
auto vmbr1
iface vmbr1 inet static
address 20.0.0.10
netmask 255.255.255.0
gateway 20.0.0.1
bridge_ports bond1
bridge_stp off
bridge_fd 0

# vpnserver-1, IP tables allows port 22
auto vmbr2
iface vmbr2 inet static
address 20.0.0.11
netmask 255.255.255.0
gateway 20.0.0.1
bridge_ports bond1
bridge_stp off
bridge_fd 0


Does this make sense? Can we use a shared bridge in each VM for the private interface (bond0) -- and to have the IP address be 10.0.0.<VM_ID>?

Re: AppArmor / application firewall -- this will have to be run in the containers/VMs.

Many thanks,

~ Brice
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back