[pve-devel] RFC : iptables implementation

[Michael Rasmussen]

On Wed, 22 Jan 2014 18:27:07 +0100 (CET)
Alexandre DERUMIER <aderumier at odiso.com> wrote:

> 
> maybe. I think we shouldn't filter from ethX, because outside can be also other hosts with others vm.
> (Or maybe users want to add some custom rules on ethX to protect the host itself, like this it doesn't conflict with openstack rules)
> 
With the coming add-on for firewall how would that affect iptables
rules on the host?

And example on a standard proxmox node could be the following:

# Block all input on vmbr0 except
# https(8006)
iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state \
--state NEW -j ACCEPT 
# vnc-console (5900-5910)
iptables -A INPUT -i vmbr0 -p tcp -m multiport \
--dports 5900:5910 -m state --state NEW -j ACCEPT 
# apcups (udp:3551)
iptables -A INPUT -i vmbr0 -p udp --dport 3551 -m state \
--state NEW -j ACCEPT 
# spice
iptables -A INPUT -i vmbr0 -p tcp --dport 3128 -m state \
--state NEW -j ACCEPT

# Related traffic to the above
iptables -A INPUT -i vmbr0 -p tcp -m state \
--state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT \
-i vmbr0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop everything else
iptables -A INPUT -i vmbr0 -j DROP

-- 
Hilsen/Regards
Michael Rasmussen

Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
/usr/games/fortune -es says:
"In the long run, every program becomes rococo, and then rubble."
		-- Alan Perlis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-devel/attachments/20140122/72a33231/attachment.sig>