Simple firewall for Proxmox 2.2 OpenVZ MVs

J

juanmaria

Member
Apr 26, 2012
19
0
21
Hi,

I'm new here, I've got a server at OVH with Proxmox 2.2-24 which I'm setting up.

I'm going to have a couple of bridged KMV MVs, each one with their own iptables firewall, and a few routed OpenVZ MVs which I'd like to protect with a generic firewall on the host server.

I've seen a post about firewall recomendations but it's from 2010 and I understand for version 1. I've read a few webpages about this subject but I haven't found nothing as simple as I'd like.

Could anyone reccomend me an Iptables script or something simple which I could use as a foundation for my own firewall.

Thanks in advance.
Juan María.
 
Thank you Riotvan,

I'm familiar with Shorewall but, since I'm using a hired server on OHV, I was looking for something simpler so, in case of a disaster, I wouldn't have to install and configure so much packages and be online again as soon as posible.

I'm reading the document at http://wiki.openvz.org/Setting_up_an_iptables_firewall hoping it would be aplicable to a Proxmox server.
 
Hi Juan,

I am also going to have the same need and with ovh also!

Do let us know how it went, im looking at vm-firewall from Fridu or other solution.

Denny
 
Hi bluebirdnet,

It went quite well, I had to make a some changes but now it's working fine.

I also had to change a few settings on my NFS configuration because I've hired an USB 2Tb HDU that I'm sharing via NFT with the MVs, I add to /etc/default/nfs-kernel-server the following:

Code: 
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
RQUOTAD_PORT=875
STATD_PORT=662
STATD_OUTGOING_PORT=2020

I divided the original script in two, one to make the service start, stop, etc. functions and the other with the firewall code.

I also included a new option on the VM configuration files to enable ping to a MV.

I've got all my scripts and configurations on a directory named /etc/olinet so I changed the location of the VMs scripts inside.

This is the firewall:

/etc/olinet/firewall.init.d
Code: 
#!/bin/bash
### BEGIN INIT INFO
# Provides:          firewall
# Required-Start:    $local_fs $network $syslog           
# Required-Stop:     $local_fs $network $syslog           
# Default-Start:     2 3 4 5     
# Default-Stop:      0 1 6
# Short-Description: Start/stop firewall
### END INIT INFO#
#
# Script de startup para lanzar firewall del Host Node
#
# Basado en: http://wiki.openvz.org/Setting_up_an_iptables_firewall#Setting_up_a_HN-based_firewall
#
# Adaptado para Debian LSBInitScripts
#
# Extraído casi todo el código a un script externo /etc/olinet/firewall.script
# dejo aquí lo imprescindible para manejar el servicio
#
FIREWALL='/etc/olinet/firewall.script'
#
success() {
   echo -n "...success"
} 
#
failure() {
   echo -n "...failure"
}
purge() {
  echo -n "Firewall: Purging and allowing all traffic"
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P INPUT ACCEPT
  iptables -F
  success ; echo
}
#
case "$1" in
  start)
    echo "Starting firewall..."
    purge
    if [ -f $FIREWALL ]; then
    $FIREWALL
    fi    
    ;;
  stop)
    echo "Stopping firewall..."
    purge
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  status)
    iptables -n -L
    ;;
  *)
    echo "Usage: $0 <start|stop|restart|status>"
    ;;
esac


/etc/olinet/firewall.script
Code: 
#!/bin/bash

################################################################################
#     FIREWALL PARA HOST PROXMOX (SOLO HOST Y MVs ROUTED                       #
#     Juan Maria Gil                                                           #
#     Basado en: http://wiki.openvz.org/Setting_up_an_iptables_firewall        #
################################################################################
# This script sets up the firewall for the INPUT chain (which is for
# the HN itself) and then processes the config files under
# /etc/olinet/firewall.d to set up additional rules in the FORWARD chain
# to allow access to containers' services.
################################################################################
#
# Funciones de display de mensajes
#
success() {
   echo -n "...success"
} 
failure() {
   echo -n "...failure"
}
################################################################################
#
#
WAN_INTERFACE=vmbr0
#
# IPs/Redes con full access
#
DMZS="w.x.y.z/32
w.x.y.z/32"
#
#
# IPs/Redes contenedores
#
CT_NETS="w.x.y.z/30
w.x.y.z
w.x.y.z
w.x.y.z"
#
# The IP used by the hosting server itself
#
THISHOST="w.x.y.z"
THISHOST_24="w.x.y"
#
# Puertos que se abrirán a todo el mundo (de momento ninguno)
# 
# OKPORTS="53"
#
echo -n "Firewall: Setting default policies to DROP"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT   -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I INPUT -j ACCEPT -i lo
success ; echo
#
# Añadimos los permisos para que funcione correctamente la monitorización de OVH
# También le damos acceso ssh para los técnicos
#
echo -n "Firewall: Configuring permisions for OVH monitoring"
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.p19.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.rbx.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source proxy.rbx2.ovh.net -j ACCEPT 
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source ping.ovh.net -j ACCEPT
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source ${THISHOST_24}.250 -j ACCEPT # IP = aaa.bbb.ccc according to the previous rule
iptables -A INPUT -i $WAN_INTERFACE -p icmp --source ${THISHOST_24}.249 -j ACCEPT # temporary, only for HG server
iptables -A INPUT -i $WAN_INTERFACE -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
success ; echo
#
# Permiso de forward y de nfs a los containers
#
echo "Firewall: Configuring permisions to containers"
for net in $CT_NETS ; do
  echo -n "          NFS/FORWARD $net"
  iptables -I FORWARD -j ACCEPT --source $net
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 111
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 111
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 2049
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 32803
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 32769
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 892
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 892
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 875
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 875
  iptables -I INPUT -j ACCEPT --source $net -p tcp --dport 662
  iptables -I INPUT -j ACCEPT --source $net -p udp --dport 662
  success ; echo
done
#
# Permiso a los puertos abiertos del HN (De momento deshabilitado) 
#
echo "Firewall: Allowing access to HN"
# for port in $OKPORTS ; do
#   echo -n "          port $port"
#   iptables -I INPUT -j ACCEPT -d $THISHOST --protocol tcp --destination-port $port
#   iptables -I INPUT -j ACCEPT -d $THISHOST --protocol udp --destination-port $port
#   success ; echo
# done
#
# Permiso full a las IPs/Redes autorizadas
#
for ip in $DMZS ; do
  echo -n "          DMZ $ip"
  iptables -I INPUT   -i $WAN_INTERFACE -j ACCEPT -s $ip
  iptables -I FORWARD -i $WAN_INTERFACE -j ACCEPT -s $ip
  success ; echo
done
#
# Chequeo de los permisos específicos para cada container
#
CTSETUPS=`echo /etc/olinet/firewall.d/*`
if [ "$CTSETUPS" != "/etc/olinet/firewall.d/*" ] ; then
echo "Firewall: Setting up container firewalls"
for i in $CTSETUPS ; do
  . $i
  echo -n "          $CTNAME CT$CTID"
  if [ -n "$BANNED" ]; then
    for source in $BANNED ;  do iptables -I FORWARD -j DROP --destination $CTIP --source $source ; done
  fi
  if [ -n "$OPENPORTS" ]; then
    for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --destination-port $port ; done
    for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --destination-port $port ; done
  fi
  if [ -n "$DMZS" ]; then
    for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --source $source ; done
    for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --source $source ; done
  fi
  if [ -n "$PING" ]; then
    iptables -I FORWARD -j ACCEPT --destination $CTIP -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED 
  fi
  [ $? -eq 0 ] && success || failure
  echo
done
fi
################################################################################
#     FIN FIREWALL                                                             #
################################################################################


/etc/olinet/firewall.d/some_mv_script
Code: 
# This file is processed by /etc/init.d/firewall
CTID="102"            # the container's ID#
CTNAME="nameserver"        # A human-friendly label for the container
CTIP="w.x.y.z"            # the IP address for this container 
OPENPORTS="53"            # ports that should be universally opened
                # to the entire Internet
DMZS=""                # IPs and blocks that should have full access
                # to the container's services
BANNED=""            # IPs and blocks that should be entirely
                # blocked from the container's services
PING="x"            # Set this variable to anything to enable ping


To install it I made the following:

Code: 
ln -s /etc/olinet/firewall.init.d /etc/init.d/firewall
insserv -v firewall


Hope it helps you.

Greetings from Spain.
Juan María.
 
Last edited:
Hey Juanmaria,

thanks for the info! glad it went well.

I ended up going with Shorewall, was simple enough for my needs.

with OVH dont forget to allow ICMP from their hosts so they can monitor your server.
 
You must log in or register to reply here.
Top Bottom
Back