NB! Firewalling is officially supported only on OpenNode 6.x series - not on older 1.1 - althou you could install manually shorewall package from EPEL5 repository on OpenNode 1.1 and most of this document might apply also.
In order to simplify iptables firewall configuration we have included a Shorewall firewall package (http://www.shorewall.net) - a gateway/firewall configuration tool for GNU/Linux.
The following document describes how to install and configure Shorewall on OpenNode 6.x host. We might include Shorewall into OpenNode 6.0 Final release by default - then initial package installation and configuration phase described here will become obsolete.
yum install shorewall
service iptables start
chkconfig iptables on
# Setup zones
nano -w /etc/shorewall/zones
--- MODIFY ---
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
pub ipv4
net:pub bport4
venet ipv4
loc:pub bport4
--- MODIFY ---
# Setup interfaces
nano -w /etc/shorewall/interfaces
--- MODIFY ---
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
pub vmbr0 - bridge,proxyarp=1
net vmbr0:eth0
venet venet0 - routeback
loc vmbr0:veth+
loc vmbr0:vnet+
--- MODIFY ---
# Setup policy
nano -w /etc/shorewall/policy
--- MODIFY ---
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
#ALLOW INET ACCESS
fw pub ACCEPT
loc net ACCEPT
venet pub ACCEPT
net all DROP info
all all REJECT info
--- MODIFY ---
# Setup masquerading IF needed
nano -w /etc/shorewall/masq
--- MODIFY ---
#############################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
#vmbr0 192.168.100.0/24
--- MODIFY ---
# Setup initial firewall rules
nano -w /etc/shorewall/rules
--- MODIFY ---
#######################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#PING FOR ALL
Ping(ACCEPT) all all icmp 8
#ACCESS RULE FOR HN SSH
ACCEPT net fw tcp ssh
#ACCES RULE FOR HN FUNC
ACCEPT net fw tcp 51234
#ACCES RULE FOR HN ZABBIX AGENT
ACCEPT net fw tcp 10050
#ACCESS RULE EXAMPLE FOR VENET VM (allowing all traffic to VM)
#ACCEPT net venet:192.168.100.50 all
#HN PORT FORWARDING RULE EXAMPLE FOR VENET VM
#DNAT net venet:192.168.100.50:80 tcp 8000
#ACCESS RULE EXAMPLE FOR BRIDGED VETH OR KVM VM
#ACCEPT net loc:192.168.100.50 all
--- MODIFY ---
# Enable startup from shorewall.conf
nano -w /etc/shorewall/shorewall.conf
--- MODIFY ---
STARTUP_ENABLED=Yes
--- MODIFY ---
# Start up the firewall
service shorewall start
chkconfig shorewall on
|
