Editing Setting up an iptables firewall
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | This document consists of two parts. The first is setting up a firewall (using iptables) on the | + | This document consists of two parts. The first is setting up a firewall (using iptables) on the HN, which will restrict traffic to the containers. The effect would emulate, as far as the containers and their customers are concerned, an external hardware firewall controlled by the sysadmin. The second is setting up a firewall that protects the [[HN]] itself but still allows traffic to the containers, thus allowing individual containers to define their own iptables. |
While the firewalls shown here can be accomplished using iptables manually (or using Fedora core's iptables service), the methods presented here are especially modular and easy to modify. This is important when you have 20+ containers and a lot of other things to be doing... | While the firewalls shown here can be accomplished using iptables manually (or using Fedora core's iptables service), the methods presented here are especially modular and easy to modify. This is important when you have 20+ containers and a lot of other things to be doing... | ||
Line 11: | Line 11: | ||
The exception to this is the nameserver, which we want open to the world. We use it as a caching nameserver for our containers and also to host DNS for a few customer domain. | The exception to this is the nameserver, which we want open to the world. We use it as a caching nameserver for our containers and also to host DNS for a few customer domain. | ||
− | == Simple firewall configuration independent | + | == Simple firewall configuration independent to IP addresses: vzfirewall == |
− | + | ''Vzfirewall'' tool allows you to open/close ports for incoming connections with no dependencies to foreign IP addresses. E.g. you may allow a hostname ''release.prod.example.com'' to connect to port 5432 of VE 1234 and leave all other ports closed by modifying 1234.conf file adding multiline ''FIREWALL'' directive into it: | |
<pre> | <pre> | ||
Line 22: | Line 22: | ||
FIREWALL=" | FIREWALL=" | ||
... | ... | ||
− | # Allow access to PostgreSQL port only from release.prod | + | # Allow access to PostgreSQL port only from release.prod machine. |
− | # | + | # Note that you may use domain names here. |
[5432] | [5432] | ||
release.prod.example.com | release.prod.example.com | ||
Line 31: | Line 31: | ||
</pre> | </pre> | ||
− | You must then run | + | You must then run ''vzfirewall -a'' on your hardware node to apply changes made in *.conf. |
− | Note that it is recommended to use hostnames instead of IP addresses here, so the configuration is persistent | + | Note that it is recommended to use hostnames instead of IP addresses here, so the configuration is persistent fore VE movements to different IP-address. |
− | Vzfirewall and its documentation | + | Vzfirewall and its documentation tool is available at [http://en.dklab.ru/lib/dklab_vzfirewall/ http://en.dklab.ru/lib/dklab_vzfirewall/]. |
== An alternative from the author of Shorewall == | == An alternative from the author of Shorewall == | ||
Line 59: | Line 59: | ||
#!/bin/sh | #!/bin/sh | ||
# firewall Start iptables firewall | # firewall Start iptables firewall | ||
− | # chkconfig: 2345 | + | # chkconfig: 2345 08 92 |
# description: Starts, stops and saves iptables firewall | # description: Starts, stops and saves iptables firewall | ||
# This script sets up the firewall for the INPUT chain (which is for | # This script sets up the firewall for the INPUT chain (which is for | ||
Line 65: | Line 65: | ||
# /etc/firewall.d to set up additional rules in the FORWARD chain | # /etc/firewall.d to set up additional rules in the FORWARD chain | ||
# to allow access to containers' services. | # to allow access to containers' services. | ||
− | |||
. /etc/init.d/functions | . /etc/init.d/functions | ||
Line 191: | Line 190: | ||
</pre> | </pre> | ||
− | And there you go. | + | And there you go. Go ahead and start the firewall and check its status: |
− | |||
− | |||
− | |||
− | Go ahead and start the firewall and check its status: | ||
<pre> | <pre> | ||
service firewall restart | service firewall restart | ||
Line 240: | Line 235: | ||
If you do not, you will get an error like this: "iptables: No chain/target/match by that name" | If you do not, you will get an error like this: "iptables: No chain/target/match by that name" | ||
− | |||
If you want to use stateful firewall rules (and you should!) you will also need to make sure that 'ipt_state' is in the 'IPTABLES' option in your vz.conf file: | If you want to use stateful firewall rules (and you should!) you will also need to make sure that 'ipt_state' is in the 'IPTABLES' option in your vz.conf file: | ||
Line 253: | Line 247: | ||
modprobe xt_state | modprobe xt_state | ||
</pre> | </pre> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== See also == | == See also == | ||
* [[Traffic accounting with iptables]] | * [[Traffic accounting with iptables]] | ||
− | |||
[[Category: Networking]] | [[Category: Networking]] |