Changes
Moved link to HN definition at its first occurence, for anyone confused by the acronym
This document consists of two parts. The first is setting up a firewall (using iptables) on the [[HN]], which will restrict traffic to the containers. The effect would emulate, as far as the containers and their customers are concerned, an external hardware firewall controlled by the sysadmin. The second is setting up a firewall that protects the [[HN]] itself but still allows traffic to the containers, thus allowing individual containers to define their own iptables.
While the firewalls shown here can be accomplished using iptables manually (or using Fedora core's iptables service), the methods presented here are especially modular and easy to modify. This is important when you have 20+ containers and a lot of other things to be doing...
The exception to this is the nameserver, which we want open to the world. We use it as a caching nameserver for our containers and also to host DNS for a few customer domain.
== Simple firewall configuration independent to of IP addresses: vzfirewall ==
<pre>
FIREWALL="
...
# Allow access to PostgreSQL port only from release.prod machine. # Note that you and release.test machines. You may use domain names here.
[5432]
release.prod.example.com
</pre>
You must then run ''<code>vzfirewall -a'' </code> on your hardware node to apply changes made in <code>*.conf</code>.
Note that it is recommended to use hostnames instead of IP addresses here, so the configuration is persistent fore for VE movements to different IP-address: you just need to run <code>vzfirewall -a</code> again after movement. It is also reboot-safe, as the rules are applied to <code>/etc/sysconfig/iptables</code> (at RHEL systems).
Vzfirewall and its documentation tool is are available at [http://en.dklab.ru/lib/dklab_vzfirewall/ http://en.dklab.ru/lib/dklab_vzfirewall/].
== An alternative from the author of Shorewall ==
#!/bin/sh
# firewall Start iptables firewall
# chkconfig: 2345 08 9297 87
# description: Starts, stops and saves iptables firewall
# This script sets up the firewall for the INPUT chain (which is for
# /etc/firewall.d to set up additional rules in the FORWARD chain
# to allow access to containers' services.
# http://wiki.openvz.org/Setting_up_an_iptables_firewall
. /etc/init.d/functions
</pre>
And there you go. Note: You can only put one IP address inside the CTIP variable, but if your container has multiple IP addresses you can create a copy of the file for each IP address. Go ahead and start the firewall and check its status:
<pre>
service firewall restart
If you do not, you will get an error like this: "iptables: No chain/target/match by that name"
* Note: xt_tcpudp module seem to be included in the kernel packages of Debian 6, but not of CentOS 6.
If you want to use stateful firewall rules (and you should!) you will also need to make sure that 'ipt_state' is in the 'IPTABLES' option in your vz.conf file:
modprobe xt_state
</pre>
Above information is outdated, to enable iptables you need to make sure that CT.conf(CT - id of your container, 100 for example) contains following line:
<pre>
NETFILTER="full"
</pre>
When this done, you should reboot your container and iptables should work properly.
== See also ==
* [[Traffic accounting with iptables]]
* [http://www.readymakers.com/blog/how-to-enable-iptables-in-openvz-container/ How to enable IPtables in OpenVZ container] (Frank Taveras) - Lack of modprobe modules on HN.
[[Category: Networking]]
