Editing Setting up an iptables firewall
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | This document consists of two parts. The first is setting up a firewall (using iptables) on the | + | This document consists of two parts. The first is setting up a firewall (using iptables) on the HN, which will restrict traffic to the containers. The effect would emulate, as far as the containers and their customers are concerned, an external hardware firewall controlled by the sysadmin. The second is setting up a firewall that protects the [[HN]] itself but still allows traffic to the containers, thus allowing individual containers to define their own iptables. |
While the firewalls shown here can be accomplished using iptables manually (or using Fedora core's iptables service), the methods presented here are especially modular and easy to modify. This is important when you have 20+ containers and a lot of other things to be doing... | While the firewalls shown here can be accomplished using iptables manually (or using Fedora core's iptables service), the methods presented here are especially modular and easy to modify. This is important when you have 20+ containers and a lot of other things to be doing... | ||
Line 5: | Line 5: | ||
The scripts and pathnames given here are for Fedora Core 6, though they can probably be applied to most similar SysV-like systems with little modification. | The scripts and pathnames given here are for Fedora Core 6, though they can probably be applied to most similar SysV-like systems with little modification. | ||
− | == | + | Writing has enabled me to help others bring forth their own desire to self-advocate for the Earth. , <a href="http//members.multimania.co.uk/twisnetranews/texmexbeachbabesyucatan02.mov.html">texmexbeachbabesyucatan02.mov</a>, [url="http//members.multimania.co.uk/twisnetranews/texmexbeachbabesyucatan02.mov.html"]texmexbeachbabesyucatan02.mov[/url], http//members.multimania.co.uk/twisnetranews/texmexbeachbabesyucatan02.mov.html texmexbeachbabesyucatan02.mov, lvq, |
− | + | == Simple firewall configuration independent to IP addresses: vzfirewall == | |
− | + | <code>Vzfirewall</code> tool allows you to open/close ports for incoming connections with no dependencies to foreign IP addresses. E.g. you may allow a hostname <code>release.prod.example.com</code> to connect to port 5432 of VE 1234 and leave all other ports closed by modifying <code>1234.conf</code> file adding multiline <code>FIREWALL</code> directive into it: | |
− | |||
− | |||
− | |||
− | <code>Vzfirewall</code> tool allows you to open/close ports for incoming connections with no dependencies to foreign IP addresses. E.g. you may allow a hostname <code>release.prod.example.com</code> to connect to port 5432 of VE 1234 and leave all other ports closed by modifying <code>1234.conf</code> file adding multiline <code>FIREWALL</code> | ||
<pre> | <pre> | ||
Line 33: | Line 29: | ||
You must then run <code>vzfirewall -a</code> on your hardware node to apply changes made in <code>*.conf</code>. | You must then run <code>vzfirewall -a</code> on your hardware node to apply changes made in <code>*.conf</code>. | ||
− | Note that it is recommended to use hostnames instead of IP addresses here, so the configuration is persistent for VE movements to different IP-address: you just need to run <code>vzfirewall -a</code> again after movement. It is also reboot-safe, | + | Note that it is recommended to use hostnames instead of IP addresses here, so the configuration is persistent for VE movements to different IP-address: you just need to run <code>vzfirewall -a</code> again after movement. It is also reboot-safe, because applied to <code>/etc/sysconfig/iptables</code> (at RHEL systems). |
Vzfirewall and its documentation are available at [http://en.dklab.ru/lib/dklab_vzfirewall/ http://en.dklab.ru/lib/dklab_vzfirewall/]. | Vzfirewall and its documentation are available at [http://en.dklab.ru/lib/dklab_vzfirewall/ http://en.dklab.ru/lib/dklab_vzfirewall/]. | ||
Line 59: | Line 55: | ||
#!/bin/sh | #!/bin/sh | ||
# firewall Start iptables firewall | # firewall Start iptables firewall | ||
− | # chkconfig: 2345 | + | # chkconfig: 2345 08 92 |
# description: Starts, stops and saves iptables firewall | # description: Starts, stops and saves iptables firewall | ||
# This script sets up the firewall for the INPUT chain (which is for | # This script sets up the firewall for the INPUT chain (which is for | ||
Line 65: | Line 61: | ||
# /etc/firewall.d to set up additional rules in the FORWARD chain | # /etc/firewall.d to set up additional rules in the FORWARD chain | ||
# to allow access to containers' services. | # to allow access to containers' services. | ||
− | |||
. /etc/init.d/functions | . /etc/init.d/functions | ||
Line 191: | Line 186: | ||
</pre> | </pre> | ||
− | And there you go. | + | And there you go. Go ahead and start the firewall and check its status: |
− | |||
− | |||
− | |||
− | Go ahead and start the firewall and check its status: | ||
<pre> | <pre> | ||
service firewall restart | service firewall restart | ||
Line 240: | Line 231: | ||
If you do not, you will get an error like this: "iptables: No chain/target/match by that name" | If you do not, you will get an error like this: "iptables: No chain/target/match by that name" | ||
− | |||
If you want to use stateful firewall rules (and you should!) you will also need to make sure that 'ipt_state' is in the 'IPTABLES' option in your vz.conf file: | If you want to use stateful firewall rules (and you should!) you will also need to make sure that 'ipt_state' is in the 'IPTABLES' option in your vz.conf file: | ||
Line 253: | Line 243: | ||
modprobe xt_state | modprobe xt_state | ||
</pre> | </pre> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== See also == | == See also == | ||
* [[Traffic accounting with iptables]] | * [[Traffic accounting with iptables]] | ||
− | |||
[[Category: Networking]] | [[Category: Networking]] |