Proxmox VE and Shorewall

Proxmox VE does not come with a firewall by default there are several solutions to this problem but the most flexible and robust is integrating the Shorewall firewall. This document assumes a basic knowledge of the Shorewall program and will not cover all of Shorewall capabilities but will give you a good working model to get you started. For more advanced topics check out the Shorewall documentation.

Shorewall will have 3 zones: 1) the fw zone which is the Proxmox host, 2) the net zone which is the Internet and 3) the dmz zone which is where the virtual machines will reside. The hardware just has one network interface card; vmbr0 is a just a bridge interface.

Note: Want to use Shorewall with stock OpenVZ? Tom Eastep (the Shorewall author) has written an article on the subject that you can find here: Shorewall and OpenVZ.

Network Layout and Shorewall Overview

We will be using proxy arp configuration on the Proxmox host.
A basic Proxmox network configuration looks similar to this:

/etc/network/interfaces

auto eth0

iface eth0 inet static
	address 192.0.2.10
	netmask 255.255.255.0
	gateway 192.0.2.1


auto vmbr0 
iface vmbr0 inet static 
	address  10.1.1.1
	netmask  255.255.255.0 
	bridge_ports none 
	bridge_stp off 
	bridge_fd 0

Proxmox comes by default setup in in a bridged configuration. eth0 is bridged with vmbr0, this will not work for our purposes so we break the bridge and use proxy ARP. Bridging can be made to work but is less flexible. You can define policies with a routed proxy ARP setup; with a bridge you can not. Proxy ARP is a way to expose addresses connected to a private network to the public network. In our case we want to expose our public IP's that are attached to the virtual interface vmbr0. By using private IP space on vmbr0 we also can assign private IP's to our virtual machines if needed.

Installing Shorewall

apt-get install shorewall

Will install all the needed Shorewall components on your Proxmox host node. As of this writing Shorewall 4.0.15 is installed. The configuration files for Shorewall are stored in the /etc/shorewall/ directory. To get started copy an example configuration from the ones installed with the Shorewall package.

cp /usr/share/doc/shorewall-common/default-config/* /etc/shorewall/
cp /usr/share/doc/shorewall-common/examples/two-interfaces/* /etc/shorewall/

This will give you a good base to begin customizing the firewall to meet your needs.

Configuring Shorewall

First thing is to edit the shorewall.conf file. You want to enable IP forwarding. Change it from Keep to On.

IP_FORWARDING=On

Next edit the interfaces file:

net     eth0            detect          tcpflags,routefilter,nosmurfs,logmartians
dmz     venet0          detect          routeback 
dmz     vmbr0           detect          routeback,bridge 

This file just tells Shorewall what interfaces are connected to what zones. This also allows you to make policies based where traffic is traveling to or from. The policy file is where you define what those policies are. In this article the following polices will be defined.

Traffic from the firewall:

1. To the Internet is permitted
2. From the Internet is prohibited
3. To the DMZ is permitted
4. From the DMZ is prohibited

Traffic from the DMZ:

1. To the Internet is permitted
2. To the firewall is prohibited

# From Firewall Policy 
$FW      net     ACCEPT 
$FW      dmz     ACCEPT 

# From DMZ Policy 
dmz     net     ACCEPT 
dmz     $FW     DROP            info    1/sec:2 

# From Net Policy 
net     $FW     DROP            info    1/sec:2 
net     dmz     DROP            info    8/sec:30 

# THE FOLLOWING POLICY MUST BE LAST 
all		all		REJECT		info

Next we need to define rules. Rules are the exceptions to the policies defined above. We are just going to create a very basic set. You can easily expand on these on your own.

#	Accept SSH connections for administration 
# 
SSH/ACCEPT	net		$FW 
SSH/ACCEPT	net		dmz

# Permit access to Proxmox Manager and Console 
ACCEPT          net             $FW     tcp     5900:5999 
HTTPS/ACCEPT    net             $FW 
HTTP/ACCEPT     net             $FW 

# 
#	Allow Ping 
# 
Ping/ACCEPT		dmz		$FW 
Ping/ACCEPT		net		dmz 
Ping/ACCEPT		net		$FW 
ACCEPT		$FW		dmz		icmp 
ACCEPT		$FW		net		icmp 

#
#	VMID: 101
#	Name: test.example.com
#	IP:	192.0.2.11
#
HTTP/ACCEPT		net		dmz:192.0.2.11

This set of rules allows SSH and Ping to work from the net zone. The last part of the file shows a web server running at 192.0.2.11. The syntax is the same for both KVM or an OpenVZ container.

The next file to edit is the proxyarp file. The proxyarp must contain all the IP's of the KVM machines running on the host node. The syntax for the file looks like this:

#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT 
192.0.2.11	vmbr0		eth0		no		yes 
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 

The Shorewall documentation explains what this file is and why you need it. To read more about it visit the Shorewall Site

The last file to edit is the masq file. The masq file contains the information for setting up masquerading or SNAT. This allows you to assign private IP's to virtual machines and have them still access the Internet. The syntax of the file looks like this:

#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK 
eth0			10.1.1.0/24 
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

The file above says to NAT all address in 10.1.1.0/24 to whatever address eth0 has. In this example a virtual machine with an IP of 10.1.1.2 can be created in Proxmox and access the Internet. You can also add a rule to your rules file to access services running on that host using DNAT. From the Shorewall documentation

The general form of a simple port forwarding rule in /etc/shorewall/rules is:

#ACTION   SOURCE    DEST                                          PROTO      DEST PORT(S)
DNAT      net       loc:[:]  

So to allow a web server running on 10.1.1.2 the rule would look like this:

#ACTION   SOURCE    DEST             PROTO     DEST PORT(S)
Web(DNAT) net       dmz:10.1.1.2

This example uses a Shorewall macro you can learn more about those on the Shorewall website.

Final Notes

Shorewall is a very powerful configuration tool. This document just gives a very basic overview of what can be done with Shorewall and how to integrate it with Proxmox. Two helpful commands when dealing with changing your firewall configuration are shorewall check and shorewall try /etc/shorewall 60. The first command checks the basic syntax of the files and makes sure that you don't have any obvious typos. The second command will run try out the firewall configuration for 60 seconds so that you can test your changes with out accidentally messing something up for more than 60 seconds.

Hopefully this gives a good overview of using Shorewall with Proxmox if you have questions leave me a comment.

Andrew Niemantsverdriet
Linux Systems Administrator
Rocky Mountain College
andrew@rocky.edu