[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Tue Jan 21 09:26:45 CET 2014 

>>How would you present that to the user (how would you design a GUI for that)? 
I see 2 parts:

1 firewall tab on the vm
 in this tab, we can associate security groups for incoming rules and outgoing rules by network interface

 [INCOMING RULES]
 net0 security1
 net0 security2

 [OUTGOING RULES]
 net1 security3
 .....

 maybe some special checkbox to enable anti-spoofing rule


1 new tab/form to manage rules/security groups.
  I would like to be able to use sames rules on differents vm, so I don't known where to put this form ?
  In the datacenter ?
  I think this rules should be shared inside a pool. (PVEPool permissions to manage theses rules ?)
  What do you think ?

in this tab, we can edit rules with

source : ip / iprange / mac (or vmid-netX, and we translate it to macaddress later) / other security group
destination : ip / iprange / mac (or vmid-netX, and we translate it to macaddress later) / other security group
source port : port, portlist(1,2,3) , port range
destination port : portnum, portlist(1,2,3) / port range / port from /etc/services
protocol : tcp/udp/...
action : ACCEPT/DROP

Maybe add some "macros/wizard", for procotol like dhcp  :  -p udp --dport 67:68 --sport 67:68  or icmp (-p icmp --icmp-type 0, -p icmp --icmp-type 8)


>>What configuration files do we need for that (syntax)? 

1 config file by vm (we can reuse /etc/pve/firewall/VMID.fw

[IN]
net0 security1
net0 security2
[OUT]
net1 security3

we can use inotify to regenerate interface chains on each proxmox host


1 config file for security group. (or 1 file by pool? don't known)

[SECURITY1]
src=xxx  dst=xxx  sport=xxx  dport=xxx  proto=xxx  action=xxx

[SECURITY]
src=xxx  dst=xxx  sport=xxx  dport=xxx  proto=xxx  action=xxx



>>And can we easily implement that with OVS (stateless)? 
Really, I really don't known for the moment. But it could be possible to implemented it later,as config files are simple.

Another possibility, is to do like openstack with "hybrid mode".
You have a central ovs (manage vlan, netflow,...), then 1 bridge for each tap interface plugged to ovs.
Like this it's possible to manage iptable rules on theses bridge.





----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mardi 21 Janvier 2014 06:55:43 
Objet: RE: [pve-devel] RFC : iptables implementation 

> - you can defined rules (chain names up to 28characters), and reuse them for 
> differents vms 
> -you can apply rules on vms or group 
> - if you need to change a chain/security group, you can simply flush the chain 
> (iptables -F chain) before reapply rules, 
> without need to regenerate/"compile" all rules 
> -they are not relation with bridge, only tap interfaces, so you can move a 
> interface from a bridge to another bridge without breaking rules. 
> -it's possible to do security groups with mac address of vms, and allow ports 
> opening from a group to another group. 
> -it's possible enable/disable firewall log for each vm separatly 
> -No need to maintain shorewall config files,compile rules,... 
> we can simply generate chains in live by security group are created/modified, 
> or edit tap chain when group are apply/remove to a tap interface. 
> 
> what do you think about it ? 

That sounds reasonable so far. 

How would you present that to the user (how would you design a GUI for that)? 
What configuration files do we need for that (syntax)? 

And can we easily implement that with OVS (stateless)?

More information about the pve-devel mailing list