[PVE-User] Proxmox and firewall

Michael Rasmussen mir at miras.org
Tue Jun 11 17:36:27 CEST 2013 

On Tue, 11 Jun 2013 17:24:30 +0200
Julien Groselle <julien.groselle at gmail.com> wrote:

> Hello again,
> 
> In our company, wet set up heavy firewall on every servers.
> So, after many tests on proxmox with an open firewall, it's time to put
> servers in production.
> Before this step, we have to configure our iptables rules :
> 
> Here is a partial output of my 'netstat -lnpute' :
> tcp        0      0 127.0.0.1:85            0.0.0.0:*               LISTEN
>      0          35730752    433645/pvedaemon
> tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN
>      33         35730876    433690/pveproxy
> udp        0      0 192.168.100.187:5404    0.0.0.0:*
>     0          13381511    4501/corosync
> udp        0      0 192.168.100.187:5405    0.0.0.0:*
>     0          13381512    4501/corosync
> udp        0      0 239.192.1.240:5405      0.0.0.0:*
>     0          13381508    4501/corosync
> 
> I just have to open tcp/8006 and all the udp/540* ? Or are there any port
> that proxmox need to use ?
> I'm sure that the ssh have to be open in between the two nodes, but what
> else ?
> 
I run the following script at boot on every host. Every host has 2 nics
in bond and has configured a number vlans and bridges. The hosts
has only a configured IP on vmbr0 (default vlan0), on a lan for shared
storage (vlan20), and on a lan for migration (vlan30). Everything is
connected through a managed switch. vlan20 is accessible by all
storage nodes and all hosts. vlan30 is only accessible by hosts. The
only access to hosts is via vlan0.

cat /etc/iptables.sh 
#!/bin/sh

iptables -F INPUT

# Block all input on vmbr0 except
# https(8006)
iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state --state NEW -j
ACCEPT 
# vnc-console (5900-5910)
iptables -A INPUT -i vmbr0 -p tcp -m multiport --dports 5900:5910 -m
state --state NEW -j ACCEPT 
# apcups (udp:3551)
iptables -A INPUT -i vmbr0 -p udp --dport 3551 -m state --state NEW -j
ACCEPT

# Related traffic to the above
iptables -A INPUT -i vmbr0 -p tcp -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A INPUT -i vmbr0 -p udp -m state --state ESTABLISHED,RELATED
-j ACCEPT

# Drop everything else
iptables -A INPUT -i vmbr0 -j DROP


-- 
Hilsen/Regards
Michael Rasmussen

Get my public GnuPG keys:
michael <at> rasmussen <dot> cc
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
mir <at> datanom <dot> net
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
mir <at> miras <dot> org
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
--------------------------------------------------------------
* Omnic looks at his 33.6k link and then looks at Joy
* Mercury cuddles his cable modem.. (=:]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20130611/0c8456e6/attachment.sig>

More information about the pve-user mailing list