[pve-devel] RFC : iptables implementation

Dietmar Maurer dietmar at proxmox.com
Wed Jan 22 07:10:39 CET 2014 

> >>How would you present that to the user (how would you design a GUI for
> that)?
> I see 2 parts:
> 
> 1 firewall tab on the vm
>  in this tab, we can associate security groups for incoming rules and outgoing
> rules by network interface
> 
>  [INCOMING RULES]
>  net0 security1
>  net0 security2
> 
>  [OUTGOING RULES]
>  net1 security3
>  .....

OK. But maybe we can allow normal rules also? And
use the existing format (pve-firewall/example/100.fw):

------------------
[GROUPS]
security1
security2

[IN]

SSH(ACCEPT) net0 192.168.2.192 -

[OUT]

DNS(ACCEPT) net0
------------------

>  maybe some special checkbox to enable anti-spoofing rule
> 
> 
> 1 new tab/form to manage rules/security groups.
>   I would like to be able to use sames rules on differents vm, so I don't known
> where to put this form ?
>   In the datacenter ?

yes

>   I think this rules should be shared inside a pool. (PVEPool permissions to
> manage theses rules ?)
>   What do you think ?

We use an extra file to store Security Grougs: /etc/pve/firewall/groups.fw

----------groups.fw-example-----------

[IN:<groupname>:<pool>]

SSH(ACCEPT) net0 192.168.2.192 -

[OUT:<groupname>:<pool>]

...
--------------------

So we can store 'global' groups (no pool specified) an pool related groups.
I am sure we find a way to handle permissions for that.

> in this tab, we can edit rules with
> 
> source : ip / iprange / mac (or vmid-netX, and we translate it to macaddress
> later) / other security group
> destination : ip / iprange / mac (or vmid-netX, and we translate it to macaddress
> later) / other security group
> source port : port, portlist(1,2,3) , port range
> destination port : portnum, portlist(1,2,3) / port range / port from /etc/services
> protocol : tcp/udp/...
> action : ACCEPT/DROP
> 
> Maybe add some "macros/wizard", for procotol like dhcp  :  -p udp --dport 67:68
> --sport 67:68  or icmp (-p icmp --icmp-type 0, -p icmp --icmp-type 8)

I think this should be exactly the same as the firewall tab on the VM.
You just edit the rules for a 'security group' instead of VM specific rules.

> >>What configuration files do we need for that (syntax)?
> 
> 1 config file by vm (we can reuse /etc/pve/firewall/VMID.fw
> 
> [IN]
> net0 security1
> net0 security2
> [OUT]
> net1 security3
> 
> we can use inotify to regenerate interface chains on each proxmox host
> 
> 
> 1 config file for security group. (or 1 file by pool? don't known)

One file is enough (see above /etc/pve/firewall/groups.fw)

> [SECURITY1]
> src=xxx  dst=xxx  sport=xxx  dport=xxx  proto=xxx  action=xxx
> 
> [SECURITY]
> src=xxx  dst=xxx  sport=xxx  dport=xxx  proto=xxx  action=xxx
> 
> 
> 
> >>And can we easily implement that with OVS (stateless)?
> Really, I really don't known for the moment. But it could be possible to
> implemented it later,as config files are simple.
> 
> Another possibility, is to do like openstack with "hybrid mode".
> You have a central ovs (manage vlan, netflow,...), then 1 bridge for each tap
> interface plugged to ovs.
> Like this it's possible to manage iptable rules on theses bridge.

I am not sure if you are aware of all iptables restrictions for bridge ports (physdev match).
For a short intro read: http://www.shorewall.net/bridge-Shorewall-perl.html
But I have no idea if you hit that problem at all.

More information about the pve-devel mailing list