Changes

Jump to: navigation, search

Setting up an iptables firewall

4 bytes added, 12:55, 11 March 2008
VE->CT, 80-cols limit in scripts
The scripts and pathnames given here are for Fedora Core 6, though they can probably be applied to most similar SysV-like systems with little modification.
 
== A little background ==
# chkconfig: 2345 08 92
# description: Starts, stops and saves iptables firewall
# This script sets up the firewall for the INPUT chain (which is for # the HN itself)# and then processes the config files under # /etc/firewall.d to set up additional rules# in the FORWARD chain # to allow access to containers' services.
. /etc/init.d/functions
# the IP used by the hosting server itself
THISHOST="192.168.0.1"
# services that should be allowed to the HN; # services for containers are configured in /etc/firewall.d/*
OKPORTS="53"
# hosts allowed full access through the firewall, # to all containers and to this server
DMZS="12.34.56.78 90.123.45.67"
done
VESETUPSCTSETUPS=`echo /etc/firewall.d/*` if [ "$VESETUPSCTSETUPS" != "/etc/firewall.d/*" ] ; then echo "Firewall: Setting up VE container firewalls" for i in $VESETUPS CTSETUPS ; do
. $i
echo -n " $VENAME VECTNAME CT$CTID"
if [ -n "$BANNED" ]; then
for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $VEIP CTIP --source $source ; done
fi
if [ -n "$OPENPORTS" ]; then
for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $VEIP CTIP --destination-port $port ; done for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $VEIP CTIP --destination-port $port ; done
fi
if [ -n "$DMZS" ]; then
for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $VEIP CTIP --source $source ; done for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $VEIP CTIP --source $source ; done
fi
[ $? -eq 0 ] && success || failure
<pre>
# This file is processed by /etc/init.d/firewall
CTID="1" # the VEcontainer's ID#VENAMECTNAME="Customer1" # A human-friendly label for the VEcontainerVEIPCTIP="192.168.1.34" # the IP address for this VEcontainer OPENPORTS="80 443" # ports that should be universally opened # to the entire InternetDMZS="1.2.3.0/24 5.6.7.8/32" # IPs and blocks that should have full access # to the VEcontainer's servicesBANNED="" # IPs and blocks that should be entirely # blocked from the VEcontainer's services
</pre>
== Setting up a firewall that allows per-VE container configuration ==
This setup configures iptables on the HN to disallow access to all hosts, including the containers. However, it allows all traffic into the containers so they may define their own iptables rules and therefore manage their own firewall.
<code>This content is missing. You are invited to fill it in, if you get to it before I do. :)</code>
 
 
== See also ==

Navigation menu