Menu
▾
▴
opennode-users
|
From: <ope...@li...> - 2014-11-13 23:00:19
|
All, OK, First, let me say I've read all of the firewall posts for openvz and opennode. I have a specific goal. I want to run a straight iptables firewall on the hardware node and then run individual straight iptables firewalls on the containers. I've done this on our LAN opennode server, as it did not require a firewall on the hardware node, just on the container. I modprobed ip_conntrack and xt_state on the hardware node, passed the specific modules needed to the configuration file for the container I was working on, setup the iptables rules and was up and running. Now, I'm simply trying to use a straight iptables script on an opennode server with a publicly facing IP address, and I cannot get connection tracking to work at all. It shows the ESTABLISHED, RELATED rule when I do an iptables -L -n, but it does not pass traffic to even be able to ping google, let alone download templates with the TUI. The container on the inside will be used by an individual in our company who is used to making his own firewall changes, and I don't want to upset the apple cart by setting up the hardware node as a virtual hardware firewall for all of the containers. My default INPUT policy is DROP, which I would expect to work with the ESTABLISHED, RELATED rule. I should also say that if I change the default input policy to ACCEPT, I can ping google and download templates, but that obviously leaves the server vulnerable. Any ideas what I'm missing here? Thanks in advance! -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 |
|
From: <ope...@li...> - 2014-11-14 06:53:40
|
We have been using shorewall iptables firewall on host side - and it has been working ok so far. Here is the howto: http://opennodecloud.com/opennode-os/2013/01/01/howto-firewall-support.html I think doing direct iptables rules were a bit too complicated and it was much easier to use shorewall rules compiler - than setup iptables rules manually. > ope...@li... > <mailto:ope...@li...> > 14. november 2014 3:00 > All, > > OK, First, let me say I've read all of the firewall posts for openvz and > opennode. I have a specific goal. I want to run a straight iptables > firewall on the hardware node and then run individual straight iptables > firewalls on the containers. I've done this on our LAN opennode server, > as it did not require a firewall on the hardware node, just on the > container. I modprobed ip_conntrack and xt_state on the hardware node, > passed the specific modules needed to the configuration file for the > container I was working on, setup the iptables rules and was up and > running. > > Now, I'm simply trying to use a straight iptables script on an opennode > server with a publicly facing IP address, and I cannot get connection > tracking to work at all. It shows the ESTABLISHED, RELATED rule when I > do an iptables -L -n, but it does not pass traffic to even be able to > ping google, let alone download templates with the TUI. The container on > the inside will be used by an individual in our company who is used to > making his own firewall changes, and I don't want to upset the apple > cart by setting up the hardware node as a virtual hardware firewall for > all of the containers. > > My default INPUT policy is DROP, which I would expect to work with the > ESTABLISHED, RELATED rule. I should also say that if I change the > default input policy to ACCEPT, I can ping google and download > templates, but that obviously leaves the server vulnerable. > > Any ideas what I'm missing here? > > Thanks in advance! > -- <http://www.getpostbox.com>---------------------------------------------- Andres Toomsalu,an...@op... <mailto:an...@op...> http://www.opennodecloud.com <http://www.opennodecloud.com/> |
|
From: <ope...@li...> - 2014-11-14 17:52:08
|
On 11/14/2014 12:53 AM, ope...@li... wrote: > We have been using shorewall iptables firewall on host side - and it > has been working ok so far. > Here is the howto: > http://opennodecloud.com/opennode-os/2013/01/01/howto-firewall-support.html > I think doing direct iptables rules were a bit too complicated and it > was much easier to use shorewall rules compiler - than setup iptables > rules manually. > So for others who actually want to use straight iptables on their hardware node, here is the process for doing so. In our case we /want/ to use straight iptables for the containers as well, so that in each case we want to manage both the hardware device AND the individual containers separately. While I appreciate the solution suggested, it was something that we had already seen and discounted, because we have our knowledge base in iptables itself. The problem we ran into was that connection tracking would not work on the hardware node. This is because openvz disables it and rules it a performance issue for the hardware node. In our experience with other (Xen) virtualization platforms, the overhead for connection tracking is minimal. This /may/ be an issue on larger servers running several dozen containers, but not with a server that say is running 8 to 12 containers, which is our goal. So to the solution. Evaluate this based on your own personal environment; in other words, your mileage may vary: * Edit /etc/modprobe.d/openvz.conf * Change the value for ip_conntrack_disable_ve0=1 to ip_conntrack_disable_ve0=0 * Reboot Our iptables firewall looks something like this with the DMZ and other specific IP's removed: #!/bin/sh # #IPTABLES=/sbin/iptables # Unless specified, the defaults for OUTPUT is ACCEPT # The default for FORWARD and INPUT is DROP # echo " clearing any existing rules and setting default policy.." iptables -F INPUT iptables -P INPUT DROP iptables -A INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT iptables -A INPUT -p tcp -m tcp -s [DMZ or management IP] --dport 22 -j ACCEPT iptables -A INPUT -p icmp -m icmp -s 69.20.200.19 -j ACCEPT # storage array below this line iptables -A INPUT -p tcp -m tcp -s [some ip we use for backup] --dport 22 -j ACCEPT iptables -A INPUT -p tcp -m tcp -s [another ip we use for backup] --dport 22 -j ACCEPT iptables -A INPUT -p udp -m udp -s [your dns server] --sport 53 -d 0/0 -j ACCEPT iptables -A INPUT -p udp -m udp -s [your dns server 2] --sport 53 -d 0/0 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable # turn on this logging feature if you think something bad is happening # logs to syslog #iptables -A INPUT -j LOG --log-prefix "FIREWALL-bad input:" # turn off explicit congestion notification if [ -e /proc/sys/net/ipv4/tcp_ecn ] then echo 0 > /proc/sys/net/ipv4/tcp_ecn fi -- -- Steven G. Spencer, Network Administrator KSC Corporate - The Kelly Supply Family of Companies Office 308-382-8764 Ext. 1131 Mobile 402-765-8010 |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X