[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Wed Jan 22 08:17:24 CET 2014 

>>OK. But maybe we can allow normal rules also? 
yes sure
>>And use the existing format (pve-firewall/example/100.fw): 
no problem.



>>We use an extra file to store Security Grougs: /etc/pve/firewall/groups.fw 
>>
>>----------groups.fw-example----------- 
>>
>>[IN:<groupname>:<pool>] 
>>
>>SSH(ACCEPT) net0 192.168.2.192 - 
>>
>>[OUT:<groupname>:<pool>] 
>>
>>... 
><------------------- 
>>
>>So we can store 'global' groups (no pool specified) an pool related groups. 
>>I am sure we find a way to handle permissions for that. 

ok,let's go like this.



>>I think this should be exactly the same as the firewall tab on the VM. 
>>You just edit the rules for a 'security group' instead of VM specific rules. 

Yes,sound good.




>>I am not sure if you are aware of all iptables restrictions for bridge ports (physdev match). 
>>For a short intro read: http://www.shorewall.net/bridge-Shorewall-perl.html 
>>But I have no idea if you hit that problem at all. 
Yes,I see that. (not sure to understand the problem)

Currently I have tested with firewall 1 bridge port/ tap only.
And I don't have any problem to communicate with others ports (mac address rules), or with external network(rules by ip).

I'll do tests with 2 firewalled ports.

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mercredi 22 Janvier 2014 07:10:39 
Objet: RE: [pve-devel] RFC : iptables implementation 


> >>How would you present that to the user (how would you design a GUI for 
> that)? 
> I see 2 parts: 
> 
> 1 firewall tab on the vm 
> in this tab, we can associate security groups for incoming rules and outgoing 
> rules by network interface 
> 
> [INCOMING RULES] 
> net0 security1 
> net0 security2 
> 
> [OUTGOING RULES] 
> net1 security3 
> ..... 

OK. But maybe we can allow normal rules also? And 
use the existing format (pve-firewall/example/100.fw): 


------------------ 
[GROUPS] 
security1 
security2 

[IN] 

SSH(ACCEPT) net0 192.168.2.192 - 

[OUT] 

DNS(ACCEPT) net0 
------------------ 

> maybe some special checkbox to enable anti-spoofing rule 
> 
> 
> 1 new tab/form to manage rules/security groups. 
> I would like to be able to use sames rules on differents vm, so I don't known 
> where to put this form ? 
> In the datacenter ? 

yes 

> I think this rules should be shared inside a pool. (PVEPool permissions to 
> manage theses rules ?) 
> What do you think ? 

We use an extra file to store Security Grougs: /etc/pve/firewall/groups.fw 

----------groups.fw-example----------- 

[IN:<groupname>:<pool>] 

SSH(ACCEPT) net0 192.168.2.192 - 

[OUT:<groupname>:<pool>] 

... 
-------------------- 

So we can store 'global' groups (no pool specified) an pool related groups. 
I am sure we find a way to handle permissions for that. 

> in this tab, we can edit rules with 
> 
> source : ip / iprange / mac (or vmid-netX, and we translate it to macaddress 
> later) / other security group 
> destination : ip / iprange / mac (or vmid-netX, and we translate it to macaddress 
> later) / other security group 
> source port : port, portlist(1,2,3) , port range 
> destination port : portnum, portlist(1,2,3) / port range / port from /etc/services 
> protocol : tcp/udp/... 
> action : ACCEPT/DROP 
> 
> Maybe add some "macros/wizard", for procotol like dhcp : -p udp --dport 67:68 
> --sport 67:68 or icmp (-p icmp --icmp-type 0, -p icmp --icmp-type 8) 

I think this should be exactly the same as the firewall tab on the VM. 
You just edit the rules for a 'security group' instead of VM specific rules. 

> >>What configuration files do we need for that (syntax)? 
> 
> 1 config file by vm (we can reuse /etc/pve/firewall/VMID.fw 
> 
> [IN] 
> net0 security1 
> net0 security2 
> [OUT] 
> net1 security3 
> 
> we can use inotify to regenerate interface chains on each proxmox host 
> 
> 
> 1 config file for security group. (or 1 file by pool? don't known) 

One file is enough (see above /etc/pve/firewall/groups.fw) 

> [SECURITY1] 
> src=xxx dst=xxx sport=xxx dport=xxx proto=xxx action=xxx 
> 
> [SECURITY] 
> src=xxx dst=xxx sport=xxx dport=xxx proto=xxx action=xxx 
> 
> 
> 
> >>And can we easily implement that with OVS (stateless)? 
> Really, I really don't known for the moment. But it could be possible to 
> implemented it later,as config files are simple. 
> 
> Another possibility, is to do like openstack with "hybrid mode". 
> You have a central ovs (manage vlan, netflow,...), then 1 bridge for each tap 
> interface plugged to ovs. 
> Like this it's possible to manage iptable rules on theses bridge. 

I am not sure if you are aware of all iptables restrictions for bridge ports (physdev match). 
For a short intro read: http://www.shorewall.net/bridge-Shorewall-perl.html 
But I have no idea if you hit that problem at all.

More information about the pve-devel mailing list