[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Wed Jan 29 06:54:07 CET 2014 

Sorry, to be late, I was very busy at work.

So, the new implementation, mostly same that cloudstack.

The main idea is to reduce a maximum rules lookup for performance.

1) the forward rules are splitted by bridge, and we only check rules for tap devices on this bridge. This reduce a lot lookups if you have a lot of bridge (bridgevlan for example)
2) the inter-bridge routing is dropped by default.
3) the tap outgoing rules are always processed before incoming. We need to use RETURN in outgoing rules, but we can use ACCEPT in incoming rules.
   That good, because we can stop lookups when ACCEPT.


I have added an host firewall chains, I think it could be great to have also a tab to manage rules for the host in gui.

tap->host traffic is filtered. (using src mac address)
Host->tap traffic rules can only be managed using tap destination ip.


I use ipset to manage group of ips. ipset do faster lookup than default iptables when need to apply 1rules of many ips,ports,...
I think it could be great to handle ipset groups too in config,gui.


Comments are welcome :)





sample network
-------------

external router (10.3.94.1)------kvmhost eth0----vmbr0(10.3.94.31)----------tap110 (10.3.94.200 gw 10.3.94.31)
                                                                  ----------tap123 (10.3.94.201 gw 10.3.94.1)

                                                 vmbr1(10.2.0.1)------------tap115 (10.2.0.2 gw 10.2.0.2)


#!/bin/bash
set -x #echo on

iptables -F
iptables -X
ipset -F
ipset -X

#IPSET ALIASES
#-------------
ipset -N kvmhost iphash --probes 8
ipset -A kvmhost 10.3.94.31
ipset -A kvmhost 10.2.0.1

ipset -N kvmclusterhosts iphash --probes 8
ipset -A kvmclusterhosts 10.3.94.31
ipset -A kvmclusterhosts 10.3.94.47
ipset -A kvmclusterhosts 10.3.94.14
ipset -A kvmclusterhosts 10.3.98.1

ipset -N tap110i0ip iphash --probes 8
ipset -A tap110i0ip 10.3.94.200

ipset -N tap123i0ip iphash --probes 8
ipset -A tap123i0ip 10.3.94.201

ipset -N tap115i0ip iphash --probes 8
ipset -A tap115i0ip 10.2.0.2



#MAIN JUMPS
#-----------
iptables -N proxmoxfw-FORWARD
iptables -N proxmoxfw-INPUT
iptables -N proxmoxfw-OUTPUT
iptables -A INPUT -j proxmoxfw-INPUT
iptables -A OUTPUT -j proxmoxfw-OUTPUT
iptables -A FORWARD -j proxmoxfw-FORWARD
iptables -A proxmoxfw-INPUT -j LOG --log-prefix "proxmoxfw-INPUT: " --log-level 4
iptables -A proxmoxfw-OUTPUT -j LOG --log-prefix "proxmoxfw-OUPUT: " --log-level 4
iptables -A proxmoxfw-FORWARD -j LOG --log-prefix "proxmoxfw-FORWARD: " --log-level 4



#BRIDGES FIREWALL
#-----------------

iptables -N vmbr1
iptables -N vmbr1-OUT
iptables -N vmbr1-IN

iptables -A proxmoxfw-FORWARD -o vmbr1 -m physdev --physdev-is-bridged -j vmbr1
iptables -A proxmoxfw-FORWARD -i vmbr1 -m physdev --physdev-is-bridged -j vmbr1
iptables -A proxmoxfw-FORWARD -i vmbr1 -j DROP  #disable interbridge routing
iptables -A proxmoxfw-FORWARD -o vmbr1 -j DROP # disable interbridge routing
iptables -A vmbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr1-OUT
iptables -A vmbr1 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr1-IN
iptables -A vmbr1 -j ACCEPT

iptables -N vmbr2
iptables -N vmbr2-OUT
iptables -N vmbr2-IN
iptables -A proxmoxfw-FORWARD -o vmbr2 -m physdev --physdev-is-bridged -j vmbr2
iptables -A proxmoxfw-FORWARD -i vmbr2 -m physdev --physdev-is-bridged -j vmbr2
iptables -A proxmoxfw-FORWARD -i vmbr2 -j DROP  # disable interbridge routing
iptables -A proxmoxfw-FORWARD -o vmbr2 -j DROP  # disable interbridge routing
iptables -A vmbr2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A vmbr2 -m physdev --physdev-is-bridged --physdev-is-in -j vmbr2-OUT
iptables -A vmbr2 -m physdev --physdev-is-bridged --physdev-is-out -j vmbr2-IN
iptables -A vmbr2 -j ACCEPT


#VMBR1-OUT
#---------
iptables -N tap110i0-OUT
iptables -A vmbr1-OUT -m physdev --physdev-in tap110i0 --physdev-is-bridged -j tap110i0-OUT
iptables -N tap123i0-OUT
iptables -A vmbr1-OUT -m physdev --physdev-in tap123i0 --physdev-is-bridged -j tap123i0-OUT


#VMBR1-IN
#--------
iptables -N tap110i0-IN
iptables -A vmbr1-IN -m physdev --physdev-out tap110i0 --physdev-is-bridged -j tap110i0-IN
iptables -N tap123i0-IN
iptables -A vmbr1-IN -m physdev --physdev-out tap123i0 --physdev-is-bridged -j tap123i0-IN

#vmbr2-OUT
#---------
iptables -N tap115i0-OUT
iptables -A vmbr2-OUT -j LOG --log-prefix "vmbr2-out: " --log-level 4
iptables -A vmbr2-OUT -m physdev --physdev-in tap115i0 --physdev-is-bridged -j tap115i0-OUT


#vmbr2-IN
#--------
iptables -N tap115i0-IN
iptables -A vmbr2-IN -j LOG --log-prefix "vmbr2-in: " --log-level 4
iptables -A vmbr2-IN -m physdev --physdev-out tap115i0 --physdev-is-bridged -j tap115i0-IN





#out rules for tap110i0 # RETURN FOR ACCEPT
iptables -A tap110i0-OUT -m state --state INVALID -j DROP 
iptables -A tap110i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A tap110i0-OUT -m mac ! --mac-source 1E:0B:85:27:8D:65 -j DROP #mac antispoofing
iptables -A tap110i0-OUT ! -s 10.3.94.200/32 -j DROP  #ip antispoofing
iptables -A tap110i0-OUT -p udp -m udp --sport 67 --dport 68 -j DROP #drop potential vm dhcp server response
iptables -A tap110i0-OUT -p udp -m udp --sport 68 --dport 67 -j RETURN  #allow dhcp query
iptables -A tap110i0-OUT -p tcp -m tcp --dport 22 -j RETURN
iptables -A tap110i0-OUT -j LOG --log-prefix "tap110i0out-dropped: " --log-level 4
iptables -A tap110i0-OUT -j DROP


#in rules for tap110i0  # ACCEPT
iptables -A tap110i0-IN -m state --state INVALID -j DROP
iptables -A tap110i0-IN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A tap110i0-IN -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A tap110i0-IN -j LOG --log-prefix "tap11i0in-dropped: " --log-level 4
iptables -A tap110i0-IN -j DROP


#out rules for tap115i0
iptables -A tap115i0-OUT -m state --state INVALID -j DROP 
iptables -A tap115i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A tap115i0-OUT -j LOG --log-prefix "tap115i0out-dropped: " --log-level 4
iptables -A tap115i0-OUT -j DROP


#in rules for tap115i0  
iptables -A tap115i0-IN -m state --state INVALID -j DROP
iptables -A tap115i0-IN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A tap115i0-IN -j LOG --log-prefix "tap115i0in-dropped: " --log-level 4
iptables -A tap115i0-IN -j DROP



#out rules for tap123i0
iptables -A tap123i0-OUT -m state --state INVALID -j DROP 
iptables -A tap123i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
iptables -A tap123i0-OUT -j LOG --log-prefix "tap123i0out-dropped: " --log-level 4
iptables -A tap123i0-OUT -j DROP


#in rules for tap123i0  
iptables -A tap123i0-IN -m state --state INVALID -j DROP
iptables -A tap123i0-IN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A tap123i0-IN -j LOG --log-prefix "tap123in-dropped: " --log-level 4
iptables -A tap123i0-IN -j DROP




#ROUTING FIREWALL
#-----------------


#INPUT RULES (host firewall in and vm routing out)
#----------------------------------------------
iptables -N kvmhost-IN
iptables -A proxmoxfw-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A proxmoxfw-INPUT -m set --match-set kvmhost dst -j kvmhost-IN
iptables -A proxmoxfw-INPUT -m mac --mac-source 1E:0B:85:27:8D:65 -j tap110i0-OUT 
iptables -A proxmoxfw-INPUT -m mac --mac-source 32:36:8A:E1:B5:65 -j tap115i0-OUT
iptables -A proxmoxfw-INPUT -m mac --mac-source E6:5F:F3:D4:2E:A6 -j tap123i0-OUT
iptables -A proxmoxfw-INPUT -j ACCEPT

#OUTPUT RULES (host firewall out and vm routing in)
#----------------------------------------------
iptables -N kvmhost-OUT
iptables -A proxmoxfw-OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A proxmoxfw-OUTPUT -m set --match-set kvmhost src -j kvmhost-OUT
iptables -A proxmoxfw-OUTPUT -m set --match-set tap110i0ip dst -j tap110i0-IN 
iptables -A proxmoxfw-OUTPUT -m set --match-set tap115i0ip dst -j tap115i0-IN
iptables -A proxmoxfw-OUTPUT -m set --match-set tap123i0ip dst -j tap123i0-IN
iptables -A proxmoxfw-OUTPUT -j ACCEPT


#HOST FIREWALL
#-------------

iptables -A kvmhost-IN -p tcp -m tcp --dport 22 -j RETURN
iptables -A kvmhost-IN -p tcp -m tcp --dport 8006 -j RETURN
iptables -A kvmhost-IN -m set --match-set kvmclusterhosts src -j RETURN
iptables -A kvmhost-IN -m pkttype --pkt-type multicast -j RETURN
iptables -A kvmhost-IN -m iprange --dst-range 224.0.0.0-239.255.255.255 -j DROP
iptables -A kvmhost-IN -j LOG --log-prefix "kvmhost-IN dropped: " --log-level 4
iptables -A kvmhost-IN -j DROP


iptables -A kvmhost-OUT -p tcp -m tcp --dport 22 -j RETURN
iptables -A kvmhost-OUT -m set --match-set kvmclusterhosts dst -j RETURN
iptables -A kvmhost-OUT -p udp -m udp --dport 9000 -j RETURN
iptables -A kvmhost-OUT -m pkttype --pkt-type multicast -j RETURN
iptables -A kvmhost-OUT -m iprange --dst-range 224.0.0.0-239.255.255.255 -j DROP
iptables -A kvmhost-OUT -j LOG --log-prefix "kvmhost-OUT dropped: " --log-level 4
iptables -A kvmhost-OUT -j DROP

More information about the pve-devel mailing list