[pve-devel] Firewalling Proxmox with Shorewall
Dietmar Maurer
dietmar at proxmox.com
Thu Aug 2 06:54:45 CEST 2012
> I finally manage to have something which seems to be a working setup with
> Shorewall. I am able to filter within, with or without on a simple bridged ipv4
> network. Here are the necessary steps:
Great!
> 0) Preliminary steps
> a) apt-get install shorewall.
> b) set IP_FORWARDING=On in /etc/shorewall/shorewall.conf
> c) set sysctl parameter allowing netfilter for bridge (in /etc/sysctl.d/pve.conf
> or with sysctl cli) net.bridge.bridge-nf-call-iptables = 1
Is c) really required? I thought shorewall set that automatically on startup?
> 1) You need to define your /etc/shorewall/interfaces. With one bridge on
> one interface, it will look like:
> #ZONE INTERFACE BROADCAST OPTIONS
> world vmbr0 detect bridge
> net eth0
> dmz vmbr0:tap+
It would be great to have an example witch fits our use case. We do not really want one
dmz. Instead we want one 'zone' per VM. So the interfaces file can look like
#ZONE INTERFACE BROADCAST OPTIONS
world vmbr0 detect bridge
net eth0
vm100 vmbr0:tap100i1
> 2) You need to define more precisely the range of your vms. It can be done in
> /etc/shorewall/hosts:
> #ZONE HOST(S) OPTIONS
> dmz vmbr0:172.16.0.0/24
We do not have IP address currently. If really needed, where do you want to store them
in the VM config? Inside the network device settings?
But do we really need it if we define one zone per VM?
> 3) and help shorewall understand your bridge in /etc/shorewall/zones:
> #ZONE TYPE OPTIONS IN OPT OUT OPT
> fw firewall
> world ipv4
> net ipv4
> dmz:world bport
>
> 4) You can then start to define your global policy, in /etc/shorewall/policy
> ("info" loglevel is quite handy when trying to understand what's going and
> can be removed later)
> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
> # Internet Connections
> dmz net ACCEPT
> # Allow FW to use internet
> $FW world ACCEPT
> net all DROP info
> # THE FOLLOWING POLICY MUST BE LAST
> all all REJECT info
>
> 5) And a simple rules file, in /etc/shorewall/rules, allowing dns, ssh, proxmox
> and ping between vms but not outside:
> #ACTION SOURCE DEST PROTO DEST PORT ...
>
> # Accept DNS connections from the firewall to the network
> DNS(ACCEPT) dmz $FW udp 67
>
> # Accept SSH connections
> SSH(ACCEPT) net $FW
> SSH(ACCEPT) dmz $FW
> SSH(ACCEPT) world $FW
>
> # Permit access to Proxmox Manager and Console
> ACCEPT dmz $FW tcp 5900:5999
> HTTPS(ACCEPT) dmz $FW tcp 443,8006
> HTTP(ACCEPT) dmz $FW
>
> # Allow Ping only within the local vm network
> Ping(ACCEPT) dmz dmz
>
>
> There are two key points in this setup. First is to specify the link between
> your interfaces (vmbr0:tap+) and your zones (dmz:world). Second one is to
> define more precisely internal range of the bridge, in hosts file. If you do not,
> shorewall won't be able to distinguish your vm network from the internet.
>
> Now that I hope to have gained my "you're not anymore a complete noob in
> shorewall networking" medal, maybe I would be able to see what can I do
> about multiple bridges. It seems there's a start of answer here:
> http://www1.shorewall.net/bridge-Shorewall-perl.html#Multiple
>
> According to this page, one should be able to use a logical name in order to
> workaround uniqueness on port name.
We already use unique port names like 'tap${VMID}i${NETID}', so am not sure
if that is a problem?
- Dietmar
More information about the pve-devel
mailing list