Hi, here an implementation of firewall with iptables, like openstack and cloudstack is doing.
The main idea is to use as much of possible chains feature of iptables. First, we create 2 chains by tap interface, for incoming and outgoing packets. (In my example, tap110i0-out and tap110i0-in). Secondly, we create group of rules, which openstack/cloudstack/amazon ec2 are calling "security group" Then, we apply theses security group to tap110i0-out or tap110i0-in. (incoming rules / outgoing rules) This model have a lot of advantages: - you can defined rules (chain names up to 28characters), and reuse them for differents vms -you can apply rules on vms or group - if you need to change a chain/security group, you can simply flush the chain (iptables -F chain) before reapply rules, without need to regenerate/"compile" all rules -they are not relation with bridge, only tap interfaces, so you can move a interface from a bridge to another bridge without breaking rules. -it's possible to do security groups with mac address of vms, and allow ports opening from a group to another group. -it's possible enable/disable firewall log for each vm separatly -No need to maintain shorewall config files,compile rules,... we can simply generate chains in live by security group are created/modified, or edit tap chain when group are apply/remove to a tap interface. what do you think about it ? iptables -F iptables -X iptables -N tap110i0-out iptables -N tap110i0-in #out iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in tap110i0 -j tap110i0-out #in iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-out tap110i0 -j tap110i0-in #create security groups samples iptables -N security1 iptables -N security2 iptables -N security3 iptables -N security4 iptables -N security5 #security1 : mac address from vm1 + ssh allowed from group4 + external ip iptables -A security1 -m mac --mac-source 1e:0b:85:27:8d:65 -j ACCEPT iptables -A security1 -p tcp --dport 22 -j security4 #allow ssh access to security group4 iptables -A security1 -p tcp --dport 22 --src 192.168.100.55 -j ACCEPT iptables -A security1 -j RETURN #security2 : simple ssh rules iptables -A security2 -p tcp --dport 22 -j ACCEPT #security3 : group with mac address from vm3 && vm4 + ssh open for security group2 iptables -A security3 -m mac --mac-source ab:ab:ab:ab:ab:ab -j ACCEPT iptables -A security3 -m mac --mac-source cd:cd:cd:cd:cd:cd -j ACCEPT iptables -A security3 -p tcp --dport 22 -j security2 iptables -A security3 -j RETURN #security4 : group with macaddress from vm2 iptables -A security4 -m mac --mac-source 32:36:8a:e1:b5:65 -j ACCEPT iptables -A security4 -j RETURN #security5 : web http 80 iptables -A security5 -p tcp --dport 80 -j ACCEPT #out rules for tap110i0 iptables -A tap110i0-out -j ACCEPT #fixme: add antispoofing rules #in rules for tap110i0 iptables -A tap110i0-in -m state --state INVALID -j DROP iptables -A tap110i0-in -m state --state RELATED,ESTABLISHED -j RETURN iptables -A tap110i0-in -j security1 iptables -A tap110i0-in -j security5 iptables -A tap110i0-in -j LOG --log-prefix "tap110i0in-dropped: " --log-level 4 iptables -A tap110i0-in -j DROP _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
