This document consists of two parts. The first is setting up a firewall (using iptables) on the HN, which will restrict traffic to the VEs. The effect would emulate, as far as the VEs and their customers are concerned, an external hardware firewall controlled by the sysadmin. The second is setting up a firewall that protects the HN itself but still allows traffic to the VEs, thus allowing individual VEs to define their own iptables.
Setting up a HN-based firewall
Setting up a firewall that allows per-VE configuration
Although it is possible to use iptables within each VE individually, I've not been able to get this to work reliably, but more importantly we simply don't trust our customers to effectively manage their own firewalls and prefer to keep these many firewalls consolidated into one place. As such, this content is missing. You are invited to fill it in, if you get to it before I do. :)