Re: [OpenNode-users] Firewalling

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 11/14/2014 12:53 AM, ope...@li... wrote:
> We have been using shorewall iptables firewall on host side - and it 
> has been working ok so far.
> Here is the howto: 
> http://opennodecloud.com/opennode-os/2013/01/01/howto-firewall-support.html
> I think doing direct iptables rules were a bit too complicated and it 
> was much easier to use shorewall rules compiler - than setup iptables 
> rules manually.
>
So for others who actually want to use straight iptables on their 
hardware node, here is the process for doing so. In our case we /want/ 
to use straight iptables for the containers as well, so that in each 
case we want to manage both the hardware device AND the individual 
containers separately. While I appreciate the solution suggested, it was 
something that we had already seen and discounted, because we have our 
knowledge base in iptables itself. The problem we ran into was that 
connection tracking would not work on the hardware node. This is because 
openvz disables it and rules it a performance issue for the hardware 
node. In our experience with other (Xen) virtualization platforms, the 
overhead for connection tracking is minimal. This /may/ be an issue on 
larger servers running several dozen containers, but not with a server 
that say is running 8 to 12 containers, which is our goal.

So to the solution. Evaluate this based on your own personal 
environment; in other words, your mileage may vary:

* Edit /etc/modprobe.d/openvz.conf
* Change the value for ip_conntrack_disable_ve0=1 to 
ip_conntrack_disable_ve0=0
* Reboot

Our iptables firewall looks something like this with the DMZ and other 
specific IP's removed:

#!/bin/sh
#
#IPTABLES=/sbin/iptables

#  Unless specified, the defaults for OUTPUT is ACCEPT
#    The default for FORWARD and INPUT is DROP
#
echo "   clearing any existing rules and setting default policy.."
iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s [DMZ or management IP] --dport 22 -j 
ACCEPT
iptables -A INPUT -p icmp -m icmp -s 69.20.200.19 -j ACCEPT
# storage array below this line
iptables -A INPUT -p tcp -m tcp -s [some ip we use for backup] --dport 
22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s [another ip we use for backup] 
--dport 22 -j ACCEPT
iptables -A INPUT -p udp -m udp -s [your dns server] --sport 53 -d 0/0 
-j ACCEPT
iptables -A INPUT -p udp -m udp -s [your dns server 2] --sport 53 -d 0/0 
-j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# turn on this logging feature if you think something bad is happening
# logs to syslog
#iptables -A INPUT -j LOG --log-prefix "FIREWALL-bad input:"
# turn off explicit congestion notification
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
         echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi

-- 
-- 
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 1131
Mobile 402-765-8010