[pve-devel] Firewalling between vms

Loiseleur Michel michel at loiseleur.com
Sun Jul 22 17:46:02 CEST 2012 

Hi *,

I've taken a look about filtering network on the host (ie: proxmox) 
level for vms.

Shorewall
======
It's important to realize that, since vms are often on a bridge, we 
cannot use traditional tools like "iptables". It's not going through 
iptables at all, it stays on level 2.

I see also limitations if we try to make a Shorewall-based solution. 
There are features which won't work with bridge. Shorewall model is not 
that simple, rules generated can become quickly quite complicated and 
it's mainly iptables oriented. It can confuse users and won't be simple 
to debug. One of the main feature of Shorewall, the clean separation 
between zones, like fw->dmz and fw->net for instance, is not possible.
See http://www.shorewall.net/bridge-Shorewall-perl.html for all the detail.


ebtables
=====
So, is there an other option ? There's a tool dedicated for bridge 
filtering, called "ebtables". I have tested it and it seems to filter 
well on current Proxmox Kernel. Since it works on L2 and humans thinks 
at least in L3, its syntax is quite more longer than iptables. Here is 
an example to drop IPv4 packets going from vm 101, vnet0 to address 
173.194.67.94, in TCP, on port 80

ebtables -A FORWARD -p IPv4 -i tap101i0 --ip-dst 173.194.67.94 --ip-proto tcp --ip-dport 80 -j DROP


If one wants to drop this address for all vms, it's sufficient to not 
specify an interface :

ebtables -A FORWARD -p IPv4 --ip-dst 173.194.67.94 --ip-proto tcp --ip-dport 80 -j DROP


The -p IPv4 specifiy the ethernet frame types. They are listed in 
/etc/ethertypes. You can also target only vm interfaces with "-i tap+".


Next steps
=======

I think to go further on ebtables way with :
1) a per vm firewall, in /etc/pve/qemu-server/xxx.pfw, describing 
filtering rules in a human-readable way. For instance, it could look like :
vnet0 IPv4 tcp * *:80 DROP
vnet1 IPv4 tcp *:443 * ACCEPT

2) a host-wide firewall & policy, in /etc/pve/nodes/`hostname`/pve.pfw, 
which would look like:
INPUT:DROP
OUTPUT:ACCEPT
IPv4 tcp * *:80 DROP
IPv4 tcp *:443 * ACCEPT

3) a "pfw-rebuild" script, transforming files to a single flat 
ebtables-readable file

4) Retrieve and use ebtables-save / ebtables-restore tools, which are 
available upstream, in Red Hat, but not in the Debian package (see 
http://ebtables.cvs.sourceforge.net/viewvc/ebtables/ebtables2/userspace/ebtables2/)

5) Retrieve or make an init script, allowing to reboot gracefully

What do you think about this ?

-- 
Michel

More information about the pve-devel mailing list