In order to simplify iptables firewall configuration we have included a Shorewall firewall package (http://www.shorewall.net) - a gateway/firewall configuration tool for GNU/Linux.
The following document describes how to install and configure Shorewall firewall on OpenNode OS 6.x host. We might include Shorewall into OpenNode 6.x releases by default at some point - then initial package installation and configuration phase described here will become obsolete.
####Shorewall firewall package installation
yum install shorewall -y
service iptables start
chkconfig iptables on
####Shorewall firewall configuration (ipv4)
#####Note on zones
- fw is special (built-in) zone - identifies HN itself
- every physical or virtual interface on HN should have a zone associated with it
- bridge ports are assigned to zones as well - in order to be able to filter traffic between bridge members as well - NB! IF DEST is bport then SRC must be bport as well (eg net→venet chain is ok - but venet→net chain wont work - should be specified as venet→pub)
- loc zone will hold all (KVM and OpenVZ veth) VM virtual interfaces (besides venet0) as vmbr0 members
#####/etc/shorewall/zones
nano -w /etc/shorewall/zones
--- MODIFY ---
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
pub ipv4
net:pub bport4
venet ipv4
loc:pub bport4
--- MODIFY ---
#####/etc/shorewall/interfaces
nano -w /etc/shorewall/interfaces
--- MODIFY ---
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
pub vmbr0 - bridge,proxyarp=1
net vmbr0:eth0
venet venet0 - routeback
loc vmbr0:veth+
loc vmbr0:vnet+
--- MODIFY ---
#####/etc/shorewall/policy
nano -w /etc/shorewall/policy
--- MODIFY ---
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
#ALLOW INET ACCESS
fw pub ACCEPT
loc net ACCEPT
venet pub ACCEPT
net all DROP info
all all REJECT info
--- MODIFY ---
#####/etc/shorewall/masq
nano -w /etc/shorewall/masq
--- MODIFY ---
#############################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/
# GROUP
vmbr0 192.168.100.0/24
--- MODIFY ---
#####/etc/shorewall/rules
nano -w /etc/shorewall/rules
--- MODIFY ---
####################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#PING FOR ALL
Ping(ACCEPT) all all icmp 8
#ACCESS RULE FOR HN SSH
ACCEPT net fw tcp ssh
#ACCES RULE FOR HN FUNC
ACCEPT net fw tcp 51234
#ACCES RULE FOR HN ZABBIX AGENT
ACCEPT net fw tcp 10050
#ACCESS RULE EXAMPLE FOR VENET VM (allowing all traffic to VM)
#ACCEPT net venet:192.168.100.50 all
#HN PORT FORWARDING RULE EXAMPLE FOR VENET VM
#DNAT net venet:192.168.100.50:80 tcp 8000
#ACCESS RULE EXAMPLE FOR BRIDGED VETH OR KVM VM
#ACCEPT net loc:192.168.100.50 all
--- MODIFY ---
#####/etc/shorewall/shorewall.conf
nano -w /etc/shorewall/shorewall.conf
--- MODIFY ---
STARTUP_ENABLED=Yes
--- MODIFY ---
#####Initialize firewall service
service shorewall start
chkconfig shorewall on