Editing Setting up an iptables firewall
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | This document consists of two parts. The first is setting up a firewall (using iptables) on the | + | This document consists of two parts. The first is setting up a firewall (using iptables) on the HN, which will restrict traffic to the containers. The effect would emulate, as far as the containers and their customers are concerned, an external hardware firewall controlled by the sysadmin. The second is setting up a firewall that protects the HN itself but still allows traffic to the containers, thus allowing individual containers to define their own iptables. |
While the firewalls shown here can be accomplished using iptables manually (or using Fedora core's iptables service), the methods presented here are especially modular and easy to modify. This is important when you have 20+ containers and a lot of other things to be doing... | While the firewalls shown here can be accomplished using iptables manually (or using Fedora core's iptables service), the methods presented here are especially modular and easy to modify. This is important when you have 20+ containers and a lot of other things to be doing... | ||
The scripts and pathnames given here are for Fedora Core 6, though they can probably be applied to most similar SysV-like systems with little modification. | The scripts and pathnames given here are for Fedora Core 6, though they can probably be applied to most similar SysV-like systems with little modification. | ||
+ | |||
== A little background == | == A little background == | ||
Line 10: | Line 11: | ||
The exception to this is the nameserver, which we want open to the world. We use it as a caching nameserver for our containers and also to host DNS for a few customer domain. | The exception to this is the nameserver, which we want open to the world. We use it as a caching nameserver for our containers and also to host DNS for a few customer domain. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Setting up a HN-based firewall == | == Setting up a HN-based firewall == | ||
Line 59: | Line 26: | ||
#!/bin/sh | #!/bin/sh | ||
# firewall Start iptables firewall | # firewall Start iptables firewall | ||
− | # chkconfig: 2345 | + | # chkconfig: 2345 08 92 |
# description: Starts, stops and saves iptables firewall | # description: Starts, stops and saves iptables firewall | ||
− | # This script sets up the firewall for the INPUT chain (which is for | + | # This script sets up the firewall for the INPUT chain (which is for the HN itself) |
− | + | # and then processes the config files under /etc/firewall.d to set up additional rules | |
− | + | # in the FORWARD chain to allow access to containers' services. | |
− | |||
− | |||
. /etc/init.d/functions | . /etc/init.d/functions | ||
Line 73: | Line 38: | ||
# the IP used by the hosting server itself | # the IP used by the hosting server itself | ||
THISHOST="192.168.0.1" | THISHOST="192.168.0.1" | ||
− | # services that should be allowed to the HN; | + | # services that should be allowed to the HN; services for containers are configured in /etc/firewall.d/* |
− | |||
OKPORTS="53" | OKPORTS="53" | ||
− | # hosts allowed full access through the firewall, | + | # hosts allowed full access through the firewall, to all containers and to this server |
− | |||
DMZS="12.34.56.78 90.123.45.67" | DMZS="12.34.56.78 90.123.45.67" | ||
Line 113: | Line 76: | ||
done | done | ||
− | + | VESETUPS=`echo /etc/firewall.d/*` | |
− | if [ "$ | + | if [ "$VESETUPS" != "/etc/firewall.d/*" ] ; then |
− | echo "Firewall: Setting up | + | echo "Firewall: Setting up VE firewalls" |
− | for i in $ | + | for i in $VESETUPS ; do |
. $i | . $i | ||
− | echo -n " $ | + | echo -n " $VENAME VE$CTID" |
if [ -n "$BANNED" ]; then | if [ -n "$BANNED" ]; then | ||
− | for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $ | + | for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $VEIP --source $source ; done |
fi | fi | ||
if [ -n "$OPENPORTS" ]; then | if [ -n "$OPENPORTS" ]; then | ||
− | for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $ | + | for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $VEIP --destination-port $port ; done |
− | for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $ | + | for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $VEIP --destination-port $port ; done |
fi | fi | ||
if [ -n "$DMZS" ]; then | if [ -n "$DMZS" ]; then | ||
− | for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $ | + | for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $VEIP --source $source ; done |
− | for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $ | + | for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $VEIP --source $source ; done |
fi | fi | ||
[ $? -eq 0 ] && success || failure | [ $? -eq 0 ] && success || failure | ||
Line 157: | Line 120: | ||
;; | ;; | ||
esac | esac | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</pre> | </pre> | ||
Line 180: | Line 136: | ||
<pre> | <pre> | ||
# This file is processed by /etc/init.d/firewall | # This file is processed by /etc/init.d/firewall | ||
− | CTID="1" | + | CTID="1" # the VE's ID# |
− | + | VENAME="Customer1" # A human-friendly label for the VE | |
− | + | VEIP="192.168.1.34" # the IP address for this VE | |
− | OPENPORTS="80 443" | + | OPENPORTS="80 443" # ports that should be universally opened to the entire Internet |
− | + | DMZS="1.2.3.0/24 5.6.7.8/32" # IPs and blocks that should have full access to the VE's services | |
− | DMZS="1.2.3.0/24 5.6.7.8/32" # IPs and blocks that should have full access | + | BANNED="" # IPs and blocks that should be entirely blocked from the VE's services |
− | |||
− | BANNED="" | ||
− | |||
</pre> | </pre> | ||
− | And there you go. | + | And there you go. Go ahead and start the firewall and check its status: |
− | |||
− | |||
− | |||
− | Go ahead and start the firewall and check its status: | ||
<pre> | <pre> | ||
service firewall restart | service firewall restart | ||
Line 203: | Line 152: | ||
As you can see, you can now add and edit the configurations for individual containers very easily. This method proves a lot easier to manage than Fedora's iptables-config mechamism! | As you can see, you can now add and edit the configurations for individual containers very easily. This method proves a lot easier to manage than Fedora's iptables-config mechamism! | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | == Setting up a firewall that allows per-VE configuration == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == Setting up a firewall that allows per- | ||
This setup configures iptables on the HN to disallow access to all hosts, including the containers. However, it allows all traffic into the containers so they may define their own iptables rules and therefore manage their own firewall. | This setup configures iptables on the HN to disallow access to all hosts, including the containers. However, it allows all traffic into the containers so they may define their own iptables rules and therefore manage their own firewall. | ||
− | < | + | <code>This content is missing. You are invited to fill it in, if you get to it before I do. :)</code> |
− | |||
− | |||
− | |||
− | |||
− | This | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | </ | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== See also == | == See also == | ||
* [[Traffic accounting with iptables]] | * [[Traffic accounting with iptables]] | ||
− | |||
[[Category: Networking]] | [[Category: Networking]] |