<div dir="ltr">Hi Michael,<div><br></div><div style>Thank you for your SMART answer !</div><div style>We will make our bash script now to enable the firewall on our two proxmox host.</div><div style><br></div><div style>Have a good day ! ;-)</div>
<div class="gmail_extra"><br clear="all"><div><b style="color:rgb(0,0,153)">JG</b></div><br><div class="gmail_quote">2013/6/11 Michael Rasmussen <span dir="ltr"><<a href="mailto:mir@miras.org" target="_blank">mir@miras.org</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Tue, 11 Jun 2013 17:24:30 +0200<br>
Julien Groselle <<a href="mailto:julien.groselle@gmail.com">julien.groselle@gmail.com</a>> wrote:<br>
<br>
> Hello again,<br>
><br>
> In our company, wet set up heavy firewall on every servers.<br>
> So, after many tests on proxmox with an open firewall, it's time to put<br>
> servers in production.<br>
> Before this step, we have to configure our iptables rules :<br>
><br>
> Here is a partial output of my 'netstat -lnpute' :<br>
> tcp 0 0 <a href="http://127.0.0.1:85" target="_blank">127.0.0.1:85</a> 0.0.0.0:* LISTEN<br>
> 0 35730752 433645/pvedaemon<br>
> tcp 0 0 <a href="http://0.0.0.0:8006" target="_blank">0.0.0.0:8006</a> 0.0.0.0:* LISTEN<br>
> 33 35730876 433690/pveproxy<br>
> udp 0 0 <a href="http://192.168.100.187:5404" target="_blank">192.168.100.187:5404</a> 0.0.0.0:*<br>
> 0 13381511 4501/corosync<br>
> udp 0 0 <a href="http://192.168.100.187:5405" target="_blank">192.168.100.187:5405</a> 0.0.0.0:*<br>
> 0 13381512 4501/corosync<br>
> udp 0 0 <a href="http://239.192.1.240:5405" target="_blank">239.192.1.240:5405</a> 0.0.0.0:*<br>
> 0 13381508 4501/corosync<br>
><br>
> I just have to open tcp/8006 and all the udp/540* ? Or are there any port<br>
> that proxmox need to use ?<br>
> I'm sure that the ssh have to be open in between the two nodes, but what<br>
> else ?<br>
><br>
</div></div>I run the following script at boot on every host. Every host has 2 nics<br>
in bond and has configured a number vlans and bridges. The hosts<br>
has only a configured IP on vmbr0 (default vlan0), on a lan for shared<br>
storage (vlan20), and on a lan for migration (vlan30). Everything is<br>
connected through a managed switch. vlan20 is accessible by all<br>
storage nodes and all hosts. vlan30 is only accessible by hosts. The<br>
only access to hosts is via vlan0.<br>
<br>
cat /etc/iptables.sh<br>
#!/bin/sh<br>
<br>
iptables -F INPUT<br>
<br>
# Block all input on vmbr0 except<br>
# https(8006)<br>
iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state --state NEW -j<br>
ACCEPT<br>
# vnc-console (5900-5910)<br>
iptables -A INPUT -i vmbr0 -p tcp -m multiport --dports 5900:5910 -m<br>
state --state NEW -j ACCEPT<br>
# apcups (udp:3551)<br>
iptables -A INPUT -i vmbr0 -p udp --dport 3551 -m state --state NEW -j<br>
ACCEPT<br>
<br>
# Related traffic to the above<br>
iptables -A INPUT -i vmbr0 -p tcp -m state --state ESTABLISHED,RELATED<br>
-j ACCEPT<br>
iptables -A INPUT -i vmbr0 -p udp -m state --state ESTABLISHED,RELATED<br>
-j ACCEPT<br>
<br>
# Drop everything else<br>
iptables -A INPUT -i vmbr0 -j DROP<br>
<br>
<br>
--<br>
Hilsen/Regards<br>
Michael Rasmussen<br>
<br>
Get my public GnuPG keys:<br>
michael <at> rasmussen <dot> cc<br>
<a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E" target="_blank">http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E</a><br>
mir <at> datanom <dot> net<br>
<a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C" target="_blank">http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C</a><br>
mir <at> miras <dot> org<br>
<a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917" target="_blank">http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917</a><br>
--------------------------------------------------------------<br>
* Omnic looks at his 33.6k link and then looks at Joy<br>
* Mercury cuddles his cable modem.. (=:]<br>
</blockquote></div><br></div></div>