[pve-devel] Firewalling Proxmox with Shorewall
Jason Villalta
jason at rubixnet.com
Mon Aug 13 21:32:09 CEST 2012
Couldn't the be done more simply using ebtables. Sorry if the has already
been discussed.
http://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges
This would provide port based isolation on each existing bridge. This
would provide true isolation not just ipv4.
I will see if I can get something setup and passed along.
On Wed, Aug 1, 2012 at 4:31 PM, Loiseleur Michel <michel at loiseleur.com>wrote:
> Hi,
>
> I finally manage to have something which seems to be a working setup with
> Shorewall. I am able to filter within, with or without on a simple bridged
> ipv4 network. Here are the necessary steps:
>
> 0) Preliminary steps
> a) apt-get install shorewall.
> b) set IP_FORWARDING=On in /etc/shorewall/shorewall.conf
> c) set sysctl parameter allowing netfilter for bridge (in
> /etc/sysctl.d/pve.conf or with sysctl cli)
> net.bridge.bridge-nf-call-**iptables = 1
>
> 1) You need to define your /etc/shorewall/interfaces. With one bridge on
> one interface, it will look like:
> #ZONE INTERFACE BROADCAST OPTIONS
> world vmbr0 detect bridge
> net eth0
> dmz vmbr0:tap+
>
> 2) You need to define more precisely the range of your vms. It can be done
> in /etc/shorewall/hosts:
> #ZONE HOST(S) OPTIONS
> dmz vmbr0:172.16.0.0/24
>
> 3) and help shorewall understand your bridge in /etc/shorewall/zones:
> #ZONE TYPE OPTIONS IN OPT OUT OPT
> fw firewall
> world ipv4
> net ipv4
> dmz:world bport
>
> 4) You can then start to define your global policy, in
> /etc/shorewall/policy ("info" loglevel is quite handy when trying to
> understand what's going and can be removed later)
> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
> # Internet Connections
> dmz net ACCEPT
> # Allow FW to use internet
> $FW world ACCEPT
> net all DROP info
> # THE FOLLOWING POLICY MUST BE LAST
> all all REJECT info
>
> 5) And a simple rules file, in /etc/shorewall/rules, allowing dns, ssh,
> proxmox and ping between vms but not outside:
> #ACTION SOURCE DEST PROTO DEST PORT ...
>
> # Accept DNS connections from the firewall to the network
> DNS(ACCEPT) dmz $FW udp 67
>
> # Accept SSH connections
> SSH(ACCEPT) net $FW
> SSH(ACCEPT) dmz $FW
> SSH(ACCEPT) world $FW
>
> # Permit access to Proxmox Manager and Console
> ACCEPT dmz $FW tcp 5900:5999
> HTTPS(ACCEPT) dmz $FW tcp 443,8006
> HTTP(ACCEPT) dmz $FW
>
> # Allow Ping only within the local vm network
> Ping(ACCEPT) dmz dmz
>
>
> There are two key points in this setup. First is to specify the link
> between your interfaces (vmbr0:tap+) and your zones (dmz:world). Second one
> is to define more precisely internal range of the bridge, in hosts file. If
> you do not, shorewall won't be able to distinguish your vm network from the
> internet.
>
> Now that I hope to have gained my "you're not anymore a complete noob in
> shorewall networking" medal, maybe I would be able to see what can I do
> about multiple bridges. It seems there's a start of answer here:
> http://www1.shorewall.net/**bridge-Shorewall-perl.html#**Multiple<http://www1.shorewall.net/bridge-Shorewall-perl.html#Multiple>
>
> According to this page, one should be able to use a logical name in order
> to workaround uniqueness on port name.
>
> --
> Michel Loiseleur
> ______________________________**_________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-**bin/mailman/listinfo/pve-devel<http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20120813/f48dbdb4/attachment.htm>
More information about the pve-devel
mailing list