[pve-devel] Firewalling Proxmox with Shorewall
Jason Villalta
jason at rubixnet.com
Mon Aug 13 21:35:11 CEST 2012
Also, this seems very similar to the way Amazon EC2 works. FYI.
On Mon, Aug 13, 2012 at 3:32 PM, Jason Villalta <jason at rubixnet.com> wrote:
> Couldn't the be done more simply using ebtables. Sorry if the has already
> been discussed.
>
> http://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges
>
>
> This would provide port based isolation on each existing bridge. This
> would provide true isolation not just ipv4.
>
> I will see if I can get something setup and passed along.
>
>
> On Wed, Aug 1, 2012 at 4:31 PM, Loiseleur Michel <michel at loiseleur.com>wrote:
>
>> Hi,
>>
>> I finally manage to have something which seems to be a working setup with
>> Shorewall. I am able to filter within, with or without on a simple bridged
>> ipv4 network. Here are the necessary steps:
>>
>> 0) Preliminary steps
>> a) apt-get install shorewall.
>> b) set IP_FORWARDING=On in /etc/shorewall/shorewall.conf
>> c) set sysctl parameter allowing netfilter for bridge (in
>> /etc/sysctl.d/pve.conf or with sysctl cli)
>> net.bridge.bridge-nf-call-**iptables = 1
>>
>> 1) You need to define your /etc/shorewall/interfaces. With one bridge on
>> one interface, it will look like:
>> #ZONE INTERFACE BROADCAST OPTIONS
>> world vmbr0 detect bridge
>> net eth0
>> dmz vmbr0:tap+
>>
>> 2) You need to define more precisely the range of your vms. It can be
>> done in /etc/shorewall/hosts:
>> #ZONE HOST(S) OPTIONS
>> dmz vmbr0:172.16.0.0/24
>>
>> 3) and help shorewall understand your bridge in /etc/shorewall/zones:
>> #ZONE TYPE OPTIONS IN OPT OUT OPT
>> fw firewall
>> world ipv4
>> net ipv4
>> dmz:world bport
>>
>> 4) You can then start to define your global policy, in
>> /etc/shorewall/policy ("info" loglevel is quite handy when trying to
>> understand what's going and can be removed later)
>> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
>> # Internet Connections
>> dmz net ACCEPT
>> # Allow FW to use internet
>> $FW world ACCEPT
>> net all DROP info
>> # THE FOLLOWING POLICY MUST BE LAST
>> all all REJECT info
>>
>> 5) And a simple rules file, in /etc/shorewall/rules, allowing dns, ssh,
>> proxmox and ping between vms but not outside:
>> #ACTION SOURCE DEST PROTO DEST PORT ...
>>
>> # Accept DNS connections from the firewall to the network
>> DNS(ACCEPT) dmz $FW udp 67
>>
>> # Accept SSH connections
>> SSH(ACCEPT) net $FW
>> SSH(ACCEPT) dmz $FW
>> SSH(ACCEPT) world $FW
>>
>> # Permit access to Proxmox Manager and Console
>> ACCEPT dmz $FW tcp 5900:5999
>> HTTPS(ACCEPT) dmz $FW tcp 443,8006
>> HTTP(ACCEPT) dmz $FW
>>
>> # Allow Ping only within the local vm network
>> Ping(ACCEPT) dmz dmz
>>
>>
>> There are two key points in this setup. First is to specify the link
>> between your interfaces (vmbr0:tap+) and your zones (dmz:world). Second one
>> is to define more precisely internal range of the bridge, in hosts file. If
>> you do not, shorewall won't be able to distinguish your vm network from the
>> internet.
>>
>> Now that I hope to have gained my "you're not anymore a complete noob in
>> shorewall networking" medal, maybe I would be able to see what can I do
>> about multiple bridges. It seems there's a start of answer here:
>> http://www1.shorewall.net/**bridge-Shorewall-perl.html#**Multiple<http://www1.shorewall.net/bridge-Shorewall-perl.html#Multiple>
>>
>> According to this page, one should be able to use a logical name in order
>> to workaround uniqueness on port name.
>>
>> --
>> Michel Loiseleur
>> ______________________________**_________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> http://pve.proxmox.com/cgi-**bin/mailman/listinfo/pve-devel<http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20120813/3c95f5ae/attachment.htm>
More information about the pve-devel
mailing list