[PVE-User] Proxmox and firewall
Michael Rasmussen
mir at miras.org
Tue Jun 11 17:36:27 CEST 2013
On Tue, 11 Jun 2013 17:24:30 +0200
Julien Groselle <julien.groselle at gmail.com> wrote:
> Hello again,
>
> In our company, wet set up heavy firewall on every servers.
> So, after many tests on proxmox with an open firewall, it's time to put
> servers in production.
> Before this step, we have to configure our iptables rules :
>
> Here is a partial output of my 'netstat -lnpute' :
> tcp 0 0 127.0.0.1:85 0.0.0.0:* LISTEN
> 0 35730752 433645/pvedaemon
> tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN
> 33 35730876 433690/pveproxy
> udp 0 0 192.168.100.187:5404 0.0.0.0:*
> 0 13381511 4501/corosync
> udp 0 0 192.168.100.187:5405 0.0.0.0:*
> 0 13381512 4501/corosync
> udp 0 0 239.192.1.240:5405 0.0.0.0:*
> 0 13381508 4501/corosync
>
> I just have to open tcp/8006 and all the udp/540* ? Or are there any port
> that proxmox need to use ?
> I'm sure that the ssh have to be open in between the two nodes, but what
> else ?
>
I run the following script at boot on every host. Every host has 2 nics
in bond and has configured a number vlans and bridges. The hosts
has only a configured IP on vmbr0 (default vlan0), on a lan for shared
storage (vlan20), and on a lan for migration (vlan30). Everything is
connected through a managed switch. vlan20 is accessible by all
storage nodes and all hosts. vlan30 is only accessible by hosts. The
only access to hosts is via vlan0.
cat /etc/iptables.sh
#!/bin/sh
iptables -F INPUT
# Block all input on vmbr0 except
# https(8006)
iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state --state NEW -j
ACCEPT
# vnc-console (5900-5910)
iptables -A INPUT -i vmbr0 -p tcp -m multiport --dports 5900:5910 -m
state --state NEW -j ACCEPT
# apcups (udp:3551)
iptables -A INPUT -i vmbr0 -p udp --dport 3551 -m state --state NEW -j
ACCEPT
# Related traffic to the above
iptables -A INPUT -i vmbr0 -p tcp -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A INPUT -i vmbr0 -p udp -m state --state ESTABLISHED,RELATED
-j ACCEPT
# Drop everything else
iptables -A INPUT -i vmbr0 -j DROP
--
Hilsen/Regards
Michael Rasmussen
Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
* Omnic looks at his 33.6k link and then looks at Joy
* Mercury cuddles his cable modem.. (=:]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20130611/0c8456e6/attachment.sig>
More information about the pve-user
mailing list