[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Wed Jan 22 15:08:11 CET 2014 

openstack is doing something like this:

-A FORWARD -m physdev --physdev-out tap100i0 --physdev-is-bridged -j proxmoxfw-chain
-A FORWARD -m physdev --physdev-in tap100i0 --physdev-is-bridged -j proxmoxfw-chain
-A FORWARD -m physdev --physdev-out tap120i0 --physdev-is-bridged -j proxmoxfw-chain
-A FORWARD -m physdev --physdev-in tap120i0 --physdev-is-bridged -j proxmoxfw-chain

-A proxmoxfw-chain -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-in
-A proxmoxfw-chain -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-out
-A proxmoxfw-chain -m physdev --physdev-out tap120i0 --physdev-is-bridged -j tap120i0-in
-A proxmoxfw-chain -m physdev --physdev-in tap120i0 --physdev-is-bridged -j tap120i0-out
-A proxmoxfw-chain -j ACCEPT

#out rules for tap110i0 : allow out ssh
iptables -A tap110i0-out -p tcp --dport 22 -j RETURN
iptables -A tap110i0-out -j LOG --log-prefix "tap110out-dropped: " --log-level 4
iptables -A tap110i0-out -j DROP

#in rules for tap110i0
iptables -A tap110i0-in -m state --state INVALID -j DROP
iptables -A tap110i0-in -m state --state RELATED,ESTABLISHED -j RETURN
iptables -A tap110i0-in -j LOG --log-prefix "tap110i0in-dropped: " --log-level 4
iptables -A tap110i0-in -j DROP



FORWARD -> proxmoxfw-chain ->jump in tap chain1
                           <-return or drop
                           ->jump in tap chain2
                           <-return or drop

                           ->ACCEPT


don't known if it's better than

FORWARD ->jump in tap chain1
         <-return or drop
         ->jump in tap chain2
         <-return or drop

(I think ACCEPT is implicit, but I'm not sure)




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mercredi 22 Janvier 2014 13:18:05 
Objet: RE: [pve-devel] RFC : iptables implementation 

yes, that looks better now. 

> -----Original Message----- 
> From: Alexandre DERUMIER [mailto:aderumier at odiso.com] 
> Sent: Mittwoch, 22. Jänner 2014 10:27 
> To: Dietmar Maurer 
> Cc: pve-devel 
> Subject: Re: [pve-devel] RFC : iptables implementation 
> 
> Hi, again, 
> It's seem to works if I use RETURN instead ACCEPT in outgoing rules. 
> (to another tap, or to external network).

More information about the pve-devel mailing list