Re: [OpenNode-users] Firewalling

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

We have been using shorewall iptables firewall on host side - and it has 
been working ok so far.
Here is the howto: 
http://opennodecloud.com/opennode-os/2013/01/01/howto-firewall-support.html
I think doing direct iptables rules were a bit too complicated and it 
was much easier to use shorewall rules compiler - than setup iptables 
rules manually.

> ope...@li... 
> <mailto:ope...@li...>
> 14. november 2014 3:00
> All,
>
> OK, First, let me say I've read all of the firewall posts for openvz and
> opennode. I have a specific goal. I want to run a straight iptables
> firewall on the hardware node and then run individual straight iptables
> firewalls on the containers. I've done this on our LAN opennode server,
> as it did not require a firewall on the hardware node, just on the
> container. I modprobed ip_conntrack and xt_state on the hardware node,
> passed the specific modules needed to the configuration file for the
> container I was working on, setup the iptables rules and was up and 
> running.
>
> Now, I'm simply trying to use a straight iptables script on an opennode
> server with a publicly facing IP address, and I cannot get connection
> tracking to work at all. It shows the ESTABLISHED, RELATED rule when I
> do an iptables -L -n, but it does not pass traffic to even be able to
> ping google, let alone download templates with the TUI. The container on
> the inside will be used by an individual in our company who is used to
> making his own firewall changes, and I don't want to upset the apple
> cart by setting up the hardware node as a virtual hardware firewall for
> all of the containers.
>
> My default INPUT policy is DROP, which I would expect to work with the
> ESTABLISHED, RELATED rule. I should also say that if I change the
> default input policy to ACCEPT, I can ping google and download
> templates, but that obviously leaves the server vulnerable.
>
> Any ideas what I'm missing here?
>
> Thanks in advance!
>

-- 
<http://www.getpostbox.com>----------------------------------------------

Andres Toomsalu,an...@op... <mailto:an...@op...>
http://www.opennodecloud.com <http://www.opennodecloud.com/>