Changes

# This script sets up the firewall for the INPUT chain (which is for # the HN itself)# and then processes the config files under # /etc/firewall.d to set up additional rules# in the FORWARD chain # to allow access to containers' services.

# services that should be allowed to the HN; # services for containers are configured in /etc/firewall.d/*

# hosts allowed full access through the firewall, # to all containers and to this server

VESETUPSCTSETUPS=`echo /etc/firewall.d/*` if [ "$VESETUPSCTSETUPS" != "/etc/firewall.d/*" ] ; then echo "Firewall: Setting up VE container firewalls" for i in $VESETUPS CTSETUPS ; do

echo -n " $VENAME VECTNAME CT$CTID"

for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $VEIP CTIP --source $source ; done

for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $VEIP CTIP --destination-port $port ; done for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $VEIP CTIP --destination-port $port ; done

for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $VEIP CTIP --source $source ; done for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $VEIP CTIP --source $source ; done

CTID="1" # the VEcontainer's ID#VENAMECTNAME="Customer1" # A human-friendly label for the VEcontainerVEIPCTIP="192.168.1.34" # the IP address for this VEcontainer OPENPORTS="80 443" # ports that should be universally opened # to the entire InternetDMZS="1.2.3.0/24 5.6.7.8/32" # IPs and blocks that should have full access # to the VEcontainer's servicesBANNED="" # IPs and blocks that should be entirely # blocked from the VEcontainer's services

== Setting up a firewall that allows per-VE container configuration ==