Open main menu

OpenVZ Virtuozzo Containers Wiki β

Changes

Setting up an iptables firewall

10 bytes added, 13:15, 10 October 2013
m
Simple firewall configuration independent to IP addresses: vzfirewall
The exception to this is the nameserver, which we want open to the world. We use it as a caching nameserver for our containers and also to host DNS for a few customer domain.
== Simple firewall configuration independent to of IP addresses: vzfirewall ==
<code>Vzfirewall</code> tool allows you to open/close ports for incoming connections with no dependencies to foreign IP addresses. E.g. you may allow a hostname <code>release.prod.example.com</code> to connect to port 5432 of VE 1234 and leave all other ports closed by modifying <code>1234.conf</code> file adding multiline <code>FIREWALL</code> directive directives into it:
<pre>
You must then run <code>vzfirewall -a</code> on your hardware node to apply changes made in <code>*.conf</code>.
Note that it is recommended to use hostnames instead of IP addresses here, so the configuration is persistent for VE movements to different IP-address: you just need to run <code>vzfirewall -a</code> again after movement. It is also reboot-safe, because as the rules are applied to <code>/etc/sysconfig/iptables</code> (at RHEL systems).
Vzfirewall and its documentation are available at [http://en.dklab.ru/lib/dklab_vzfirewall/ http://en.dklab.ru/lib/dklab_vzfirewall/].