See also this OpenVZ Forum posting - http://forum.openvz.org/index.php?t=msg&goto=16406&
== Setting up a HN-based firewall == This setup emulates (to the containers anyway) an external hardware firewall. It protects the HN from any access and then defines what services and ports are allowed/banned for individual containers. This leaves the firewall controlled by the site administrator, not be individual containers and the hackers whoYou've gotten into them. ;) First off, let's disable Fedora's existing <code>iptables</code> service:<pre>service iptables stopchkconfig iptables off</pre> Now create the new <code>firewall</code> service. This code should be <code>/etc/init.d/firewall</code> and then should be chmod'd 755.<pre>#!/bin/sh# firewall Start iptables firewall# chkconfig: 2345 97 87# description: Starts, stops and saves iptables firewall# This script sets up the firewall for the INPUT chain (which is for# the HN itself) and then processes the config files under# /etc/firewall.d to set up additional rules got it in the FORWARD chain# to allow access to containers' servicesone. . /etc/init.d/functions # the IP block allocated to this serverSEGMENT="192.168.0.0/24"# the IP used by the hosting server itselfTHISHOST="192.168.0.1"# services that should be allowed to the HN;# services for containers are configured in /etc/firewall.d/*OKPORTS="53"# hosts allowed full access through the firewall,# to all containers and to this serverDMZS="12.34.56.78 90.123.45.67" purge() { echo -n "Firewall: Purging and allowing all traffic" iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P INPUT ACCEPT iptables -F success ; echo} setup() { echo -n "Firewall: Setting default policies to DROP" iptables -P INPUT DROP iptables -P FORWARD DROP iptables -I INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED iptables -I INPUT -j ACCEPT -i lo iptables -I FORWARD -j ACCEPT --source $SEGMENT success ; echo echo "Firewall: Allowing access to HN" for port in $OKPORTS ; do echo -n " port $port" iptables -I INPUT -j ACCEPT -s $SEGMENT -d $THISHOST --protocol tcp --destination-port $port iptables -I INPUT -j ACCEPT -s $SEGMENT -d $THISHOST --protocol udp --destination-port $port success ; echo done for ip in $DMZS ; do echo -n " DMZ $ip" iptables -I INPUT -i eth0 -j ACCEPT -s $ip iptables -I FORWARD -i eth0 -j ACCEPT -s $ip success ; echo done CTSETUPS=`echo /etc/firewall.d/*` if [ "$CTSETUPS" != "/etc/firewall.d/*" ] ; then echo "Firewall: Setting up container firewalls" for i in $CTSETUPS ; do . $i echo -n " $CTNAME CT$CTID" if [ -n "$BANNED" ]; then for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $CTIP --source $source ; done fi if [ -n "$OPENPORTS" ]; then for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --destination-port $port ; done for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --destination-port $port ; done fi if [ -n "$DMZS" ]; then for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --source $source ; done for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --source $source ; done fi [ $? -eq 0 ] && success || failure echo done fi} case "$1" in start) echo "Starting firewall..." purge setup ;; stop) echo "Stopping firewall..." purge ;; restart) $0 stop $0 start ;; status) iptables -n -L ;; *) echo "Usage: $0 <start|stop|restart|status>" ;;esac</pre> Note: This will only allow access to the HN from the hosts/networks defined in SEGMENT. If you'd like to open up the OKPORTS on the HN to everybody, you can remove the ''-s $SEGMENT'' parameters from the iptables commands under the "Firewall: Allowing access to HN" section. The modified lines would look like this: <pre>iptables -I INPUT -j ACCEPT -d $THISHOST --protocol tcp --destination-port $portiptables -I INPUT -j ACCEPT -d $THISHOST --protocol udp --destination-port $port</pre> The above script can be called like this:<pre>service firewall startservice firewall stopservice firewall restartservice firewall status</pre> It will set up the firewall for the HN according to the parameters you specified for OKPORTS, DMZs, etc. and then it will call each file under /etc/firewall.d and process its configuration. So create a file under /etc/firewall.d The exact filename isnCouldn't important, as long as have put it's meaningful to you, e.g. <code>ExampleCompany</code> or <code>ve12</code> and give it content like this: <pre># This file is processed by /etc/init.d/firewallCTID="1" # the container's ID#CTNAME="Customer1" # A human-friendly label for the containerCTIP="192.168.1.34" # the IP address for this container OPENPORTS="80 443" # ports that should be universally opened # to the entire InternetDMZS="1.2.3.0/24 5.6.7.8/32" # IPs and blocks that should have full access # to the container's servicesBANNED="" # IPs and blocks that should be entirely # blocked from the container's services</pre> And there you go. Go ahead and start the firewall and check its status:<pre>service firewall restartservice firewall status</pre> As you can see, you can now add and edit the configurations for individual containers very easily. This method proves a lot easier to manage than Fedora's iptables-config mechamism! To make the firewall service automatically start when the HN boots, run<pre>chkconfig --add firewall</pre> === Debian Notes === The setup above works fine for Debian as well, however /etc/init.d/functions is missing. Here is a very simple version that you can use: # /etc/init.d/functions success() { echo -n "...success" } failure() { echo -n "..betetr.failure" }
== Setting up a firewall that allows per-container configuration ==
