Proxmox VE Firewall
Submitted by kaptk2 on Wed, 2009-02-25 11:07.
Firewall | proxmox | proxmox ve
Intro
Proxmox VE version 1.1 does not ship with a firewall. This is a bad thing for a production server for obvious reasons. Proxmox VE 2.0 is supposed to ship with firewall support built in. Until that time here is an easy script that you can put on your Proxmox VE box to protect it and the virtual machines running on it, if you so choose. This is based off of http://wiki.openvz.org/Setting_up_an_iptables_firewall but works with KVM machines and tailored to a Proxmox install.
Installation and Usage
The firewall system consists of three parts. The fist part is the script that does the actual heavy lifting; writing the iptables rules. The second part is a configuration file that defines the firewall that should be applied to the host node. The last part are configuration files for the virtual machines running on the host. The virtual machine configuration files are optional, the script defaults to letting all connections through for virtual hosts if there is no configuration file for them. This allows the firewall to be taken care of on the virtual machine itself.
To install the script copy firewall.sh to /etc/init.d/ make it executable (chmod +x) and then issue:
update-rc.d firewall.sh defaults 21 22
This will make the script start on boot.
Next you need to make the directory to store your firewall configurations. Issue:
mkdir /etc/firewall.d/
Then copy the hostnode.conf file to that location. You will want to edit that file to suit your environment. This file is largely self documenting so I won't go into how to use it, other to mention that the DMZS parameter is a listing of IP's that you want to have unlimited access to the host. I put my personal workstation into the DMZ zone so that I don't have to worry about ever locking myself out.
You can also copy the 101.fw file to the /etc/firewall.d/ directory. This makes generates a firewall for the virtual machine with an ID of 101. The file format is similar to the hostnode.conf file. If there is no configuration file for the virtual machine given the firewall left completely open and assumed to be taken care of on the virtual machine itself.
Cavats
These scripts are not as tightly integrated into Proxmox VE as I would like so some problems do crop up. If you are not running Proxmox VE in a clustered environment the main problem is that when ever you create a new machine you need to execute a
/etc/init.d/firewall.sh restart
to allow the new machine to access the network. In a clustered environment a few more issue pop up. When ever a machine is migrated the firewall will not follow so the firewall configuration file must be moved separately and then a
/etc/init.d/firewall.sh restart
must be issued. If the migrated machine does not have a configuration file a
/etc/init.d/firewall.sh restart
still must be issued. These issues are in addition to the issue the one that effects a non-clustered Proxmox VE install.
Conclusion
This is working stop gap measure. It will offer protection to your servers and works fairly well. If you have questions or suggestions leave them in the comments.
Note: I've also done a full review of the Proxmox Virtual Environment if you haven't seen it already. See: Review: Proxmox VE
| Attachment | Size |
|---|---|
| 101.fw_.txt | 530 bytes |
| firewall.sh_.txt | 3.77 KB |
| hostnode.conf_.txt | 329 bytes |
» kaptk2's blog | login to post comments
A little help here please
Submitted by Garret (not verified) on Sat, 2009-12-26 08:58.
Okay, running Proxmox 1.4
Everything is great until container #3 at that point all containers get open access. The files used is the exact same only with the new container # and ip address. Any ideas?
Thanks
Garret
» login to post comments
FW script
Submitted by Conrad (not verified) on Fri, 2009-06-12 14:45.
I'm using you're script for about a few months and works great,
but do you have any idea what would be the way to go if my
VM has 3 ip addresses?
Thanks
» login to post comments
FW Scripts
Submitted by kaptk2 on Mon, 2009-06-15 07:03.
I have never done this but you should be able to just add multiple IP's in the fw config file. So something like this:
# This file is processed by /etc/init.d/firewall
CTID="101" # the container's ID#
CTNAME="box1.example.com" # A human-friendly label for the container
IP_ADDRESS="192.168.1.2" # the IP address for this container
IP_ADDRESS="192.168.1.3"
TCPPORTS="22 25 80 443 161 162" # TCP ports that should be opened
UDPPORTS="123 161 162" # UPD ports that should be opened
DMZS="" # IPs and blocks that should have full access
# to the container's services
BANNED="" # IPs and blocks that should be entirely
# blocked from the container's services
That would allow multiple IP's however they would all have the same services open. If that is not what you want you could make another .fw file and just call it like 101.supplement.fw and add the rules that you want.
_
/-\ ndrew
» login to post comments
i did notice that the rules
Submitted by Anonymous (not verified) on Thu, 2009-06-18 14:24.
i did notice that the rules of extra ip addresses add added, but
the problem is that first the container with 2 or more ip addresses are first being setup as a container with no firewall, because the ip address line in /etc/vz/conf/xxx.conf has a line with 3 ip addresses separated by spaces and does not match.
so they are wide open.
I am very careful with trying things because it's a live server.
» login to post comments
first two work grat then all open
Submitted by Garret (not verified) on Sun, 2009-12-27 13:42.
it is working for the first two containers, then nothing after that, they are all open, any idea?
» login to post comments
Move VEID.fw into private area?
Submitted by Cliff Wells (not verified) on Fri, 2009-06-12 10:22.
It has occurred to me that you could move the VEID.fw script into the private area of the VE. This would allow the owner of the container to have autonomous control of their firewall settings and would solve some of the issues with migration since the script would be migrated as well.
The main concern would be that the VE owner could alter the firewall in some undesirable way, but I think that could be prevented with some forethought.
» login to post comments
DNAT and Transproxy
Submitted by Anonymous (not verified) on Sun, 2009-03-22 08:07.
Hi,
I found your scripts very interesting. But could you please provide other template scripts for DNAT and Transproxy for the following classical topology? Supposed that we have only one IP public set to eth1 on a PVE.
Internet
|
(eth1)
|
PVE(as a Firewall) --(eth0)-- DMZ (some VMs for public access + some VMs for local access)
|
(eth2)
|
Local Network
Thank you very much in advance.
Alies
» login to post comments
Alies, In order to do what
Submitted by kaptk2 on Mon, 2009-03-23 09:02.
Alies,
In order to do what you want you would have to hack around quite a bit with these scripts. What I would recommend for you is a real firewall management utility. I really like Shorewall and use it on my OpenVZ boxes but I am sure it will work the same on Proxmox.
Shorewall is a front end for iptables making writing rules a breeze. So give Shorewall a try it will fit the bill nicely for you.
_
/-\ ndrew
» login to post comments
PORT ADRESS TRANSLATION
hello I have a translation port 33891 to my 3389 VIRTUAL MACHINE WHAT IS CHANGING IN THE FILES PLEASE