[pve-devel] Firewalling between vms

Dietmar Maurer dietmar at proxmox.com
Mon Jul 23 06:26:32 CEST 2012 

> Shorewall
> ======
> It's important to realize that, since vms are often on a bridge, we cannot use
> traditional tools like "iptables". It's not going through iptables at all, it stays on
> level 2.

That is simply not true. You  just need to change value in /etc/sysctl.d/pve.conf.
I guess shorewall does that automatically if you configure bridge-ports.

> I see also limitations if we try to make a Shorewall-based solution.
> There are features which won't work with bridge. Shorewall model is not that
> simple, rules generated can become quickly quite complicated and it's mainly

The initial question was how we can work around those limitations.

> iptables oriented. It can confuse users and won't be simple to debug. 

shorewall is by far the 'simplest' solution (believe me).


> ebtables
> =====
> So, is there an other option ? There's a tool dedicated for bridge filtering,
> called "ebtables". I have tested it and it seems to filter well on current
> Proxmox Kernel. Since it works on L2 and humans thinks at least in L3, its
> syntax is quite more longer than iptables. Here is an example to drop IPv4
> packets going from vm 101, vnet0 to address 173.194.67.94, in TCP, on port 80
> 
> ebtables -A FORWARD -p IPv4 -i tap101i0 --ip-dst 173.194.67.94 --ip-proto tcp
> --ip-dport 80 -j DROP
> 
> 
> If one wants to drop this address for all vms, it's sufficient to not specify an
> interface :
> 
> ebtables -A FORWARD -p IPv4 --ip-dst 173.194.67.94 --ip-proto tcp --ip-dport
> 80 -j DROP
> 
> 
> The -p IPv4 specifiy the ethernet frame types. They are listed in
> /etc/ethertypes. You can also target only vm interfaces with "-i tap+".

How do  you implement DNAT? Does that work with ebtables?
In future, we will extend the network model to have a routed setup, so
ebtable will not work anyways. 

> What do you think about this ?

ebtables is not the way to go.

I suggest you do more research on shorewall, and think about how we can generate a 
reasonable setup with shorewall.

- Dietmar

More information about the pve-devel mailing list