opennode-os

Firewalling support in OpenNode OS 6.x series

In order to simplify iptables firewall configuration we have included a Shorewall firewall package (http://www.shorewall.net) - a gateway/firewall configuration tool for GNU/Linux.

The following document describes how to install and configure Shorewall firewall on OpenNode OS 6.x host. We might include Shorewall into OpenNode 6.x releases by default at some point - then initial package installation and configuration phase described here will become obsolete.

####Shorewall firewall package installation

yum install shorewall -y
service iptables start
chkconfig iptables on

####Shorewall firewall configuration (ipv4)

#####Note on zones

  • fw is special (built-in) zone - identifies HN itself
  • every physical or virtual interface on HN should have a zone associated with it
  • bridge ports are assigned to zones as well - in order to be able to filter traffic between bridge members as well - NB! IF DEST is bport then SRC must be bport as well (eg net→venet chain is ok - but venet→net chain wont work - should be specified as venet→pub)
  • loc zone will hold all (KVM and OpenVZ veth) VM virtual interfaces (besides venet0) as vmbr0 members

#####/etc/shorewall/zones

nano -w /etc/shorewall/zones
--- MODIFY ---
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw	firewall
pub     ipv4
net:pub bport4
venet   ipv4
loc:pub bport4
--- MODIFY ---

#####/etc/shorewall/interfaces

nano -w /etc/shorewall/interfaces
--- MODIFY ---
###############################################################################
#ZONE   INTERFACE	BROADCAST	OPTIONS
pub     vmbr0           -               bridge,proxyarp=1
net     vmbr0:eth0
venet   venet0          -               routeback
loc	vmbr0:veth+
loc	vmbr0:vnet+
--- MODIFY ---

#####/etc/shorewall/policy

nano -w /etc/shorewall/policy
--- MODIFY ---
###############################################################################
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
#ALLOW INET ACCESS
fw	pub	ACCEPT
loc	net	ACCEPT
venet	pub	ACCEPT
net	all	DROP		info
all	all	REJECT		info
--- MODIFY ---

#####/etc/shorewall/masq

nano -w /etc/shorewall/masq
--- MODIFY ---
#############################################################################################
#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
#											GROUP
vmbr0			192.168.100.0/24
--- MODIFY ---

#####/etc/shorewall/rules

nano -w /etc/shorewall/rules
--- MODIFY ---
####################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

#PING  FOR ALL
Ping(ACCEPT)	all		all		icmp	8

#ACCESS RULE FOR HN SSH
ACCEPT		net		fw		tcp	ssh
#ACCES RULE FOR HN FUNC
ACCEPT		net		fw		tcp	51234
#ACCES RULE FOR HN ZABBIX AGENT
ACCEPT		net		fw		tcp	10050

#ACCESS RULE EXAMPLE FOR VENET VM (allowing all traffic to VM)
#ACCEPT		net		venet:192.168.100.50	all

#HN PORT FORWARDING RULE EXAMPLE FOR VENET VM
#DNAT		net		venet:192.168.100.50:80	tcp	8000

#ACCESS RULE EXAMPLE FOR BRIDGED VETH OR KVM VM
#ACCEPT		net		loc:192.168.100.50	all
--- MODIFY ---

#####/etc/shorewall/shorewall.conf

nano -w /etc/shorewall/shorewall.conf
--- MODIFY ---
STARTUP_ENABLED=Yes
--- MODIFY ---

#####Initialize firewall service

service shorewall start
chkconfig shorewall on