[PVE-User] Proxmox and firewall

Julien Groselle julien.groselle at gmail.com
Wed Jun 12 08:56:54 CEST 2013


Hi Michael,

Thank you for your SMART answer !
We will make our bash script now to enable the firewall on our two proxmox
host.

Have a good day ! ;-)

*JG*

2013/6/11 Michael Rasmussen <mir at miras.org>

> On Tue, 11 Jun 2013 17:24:30 +0200
> Julien Groselle <julien.groselle at gmail.com> wrote:
>
> > Hello again,
> >
> > In our company, wet set up heavy firewall on every servers.
> > So, after many tests on proxmox with an open firewall, it's time to put
> > servers in production.
> > Before this step, we have to configure our iptables rules :
> >
> > Here is a partial output of my 'netstat -lnpute' :
> > tcp        0      0 127.0.0.1:85            0.0.0.0:*
> LISTEN
> >      0          35730752    433645/pvedaemon
> > tcp        0      0 0.0.0.0:8006            0.0.0.0:*
> LISTEN
> >      33         35730876    433690/pveproxy
> > udp        0      0 192.168.100.187:5404    0.0.0.0:*
> >     0          13381511    4501/corosync
> > udp        0      0 192.168.100.187:5405    0.0.0.0:*
> >     0          13381512    4501/corosync
> > udp        0      0 239.192.1.240:5405      0.0.0.0:*
> >     0          13381508    4501/corosync
> >
> > I just have to open tcp/8006 and all the udp/540* ? Or are there any port
> > that proxmox need to use ?
> > I'm sure that the ssh have to be open in between the two nodes, but what
> > else ?
> >
> I run the following script at boot on every host. Every host has 2 nics
> in bond and has configured a number vlans and bridges. The hosts
> has only a configured IP on vmbr0 (default vlan0), on a lan for shared
> storage (vlan20), and on a lan for migration (vlan30). Everything is
> connected through a managed switch. vlan20 is accessible by all
> storage nodes and all hosts. vlan30 is only accessible by hosts. The
> only access to hosts is via vlan0.
>
> cat /etc/iptables.sh
> #!/bin/sh
>
> iptables -F INPUT
>
> # Block all input on vmbr0 except
> # https(8006)
> iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state --state NEW -j
> ACCEPT
> # vnc-console (5900-5910)
> iptables -A INPUT -i vmbr0 -p tcp -m multiport --dports 5900:5910 -m
> state --state NEW -j ACCEPT
> # apcups (udp:3551)
> iptables -A INPUT -i vmbr0 -p udp --dport 3551 -m state --state NEW -j
> ACCEPT
>
> # Related traffic to the above
> iptables -A INPUT -i vmbr0 -p tcp -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> iptables -A INPUT -i vmbr0 -p udp -m state --state ESTABLISHED,RELATED
> -j ACCEPT
>
> # Drop everything else
> iptables -A INPUT -i vmbr0 -j DROP
>
>
> --
> Hilsen/Regards
> Michael Rasmussen
>
> Get my public GnuPG keys:
> michael <at> rasmussen <dot> cc
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E
> mir <at> datanom <dot> net
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C
> mir <at> miras <dot> org
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917
> --------------------------------------------------------------
> * Omnic looks at his 33.6k link and then looks at Joy
> * Mercury cuddles his cable modem.. (=:]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20130612/bb8dedb0/attachment.htm>


More information about the pve-user mailing list