On Wed, 22 Jan 2014 18:27:07 +0100 (CET) Alexandre DERUMIER <aderum...@odiso.com> wrote:
> > maybe. I think we shouldn't filter from ethX, because outside can be also > other hosts with others vm. > (Or maybe users want to add some custom rules on ethX to protect the host > itself, like this it doesn't conflict with openstack rules) > With the coming add-on for firewall how would that affect iptables rules on the host? And example on a standard proxmox node could be the following: # Block all input on vmbr0 except # https(8006) iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state \ --state NEW -j ACCEPT # vnc-console (5900-5910) iptables -A INPUT -i vmbr0 -p tcp -m multiport \ --dports 5900:5910 -m state --state NEW -j ACCEPT # apcups (udp:3551) iptables -A INPUT -i vmbr0 -p udp --dport 3551 -m state \ --state NEW -j ACCEPT # spice iptables -A INPUT -i vmbr0 -p tcp --dport 3128 -m state \ --state NEW -j ACCEPT # Related traffic to the above iptables -A INPUT -i vmbr0 -p tcp -m state \ --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT \ -i vmbr0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # Drop everything else iptables -A INPUT -i vmbr0 -j DROP -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael <at> rasmussen <dot> cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir <at> datanom <dot> net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir <at> miras <dot> org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -------------------------------------------------------------- /usr/games/fortune -es says: "In the long run, every program becomes rococo, and then rubble." -- Alan Perlis
signature.asc
Description: PGP signature
_______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
