opennode-os

Firewalling support in OpenNode OS 6.x series

In order to simplify iptables firewall configuration we have included a Shorewall firewall package (http://www.shorewall.net) - a gateway/firewall configuration tool for GNU/Linux.

The following document describes how to install and configure Shorewall firewall on OpenNode OS 6.x host. We might include Shorewall into OpenNode 6.x releases by default at some point - then initial package installation and configuration phase described here will become obsolete.

Shorewall firewall package installation

yum install shorewall -y
service iptables start
chkconfig iptables on

Shorewall firewall configuration (ipv4)

Note on zones
  • fw is special (built-in) zone - identifies HN itself
  • every physical or virtual interface on HN should have a zone associated with it
  • bridge ports are assigned to zones as well - in order to be able to filter traffic between bridge members as well - NB! IF DEST is bport then SRC must be bport as well (eg net→venet chain is ok - but venet→net chain wont work - should be specified as venet→pub)
  • loc zone will hold all (KVM and OpenVZ veth) VM virtual interfaces (besides venet0) as vmbr0 members
/etc/shorewall/zones
nano -w /etc/shorewall/zones
--- MODIFY ---
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw  firewall
pub     ipv4
net:pub bport4
venet   ipv4
loc:pub bport4
--- MODIFY ---
/etc/shorewall/interfaces
nano -w /etc/shorewall/interfaces
--- MODIFY ---
###############################################################################
#ZONE   INTERFACE   BROADCAST   OPTIONS
pub     vmbr0           -               bridge,proxyarp=1
net     vmbr0:eth0
venet   venet0          -               routeback
loc vmbr0:veth+
loc vmbr0:vnet+
--- MODIFY ---
/etc/shorewall/policy
nano -w /etc/shorewall/policy
--- MODIFY ---
###############################################################################
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
#ALLOW INET ACCESS
fw  pub ACCEPT
loc net ACCEPT
venet   pub ACCEPT
net all DROP        info
all all REJECT      info
--- MODIFY ---
/etc/shorewall/masq
nano -w /etc/shorewall/masq
--- MODIFY ---
#############################################################################################
#INTERFACE:DEST     SOURCE      ADDRESS     PROTO   PORT(S) IPSEC   MARK    USER/
#                                           GROUP
vmbr0           192.168.100.0/24
--- MODIFY ---
/etc/shorewall/rules
nano -w /etc/shorewall/rules
--- MODIFY ---
####################################################################################################################################################################
#ACTION     SOURCE      DEST        PROTO   DEST    SOURCE      ORIGINAL    RATE        USER/   MARK    CONNLIMIT   TIME         HEADERS
#                           PORT    PORT(S)     DEST        LIMIT       GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

#PING  FOR ALL
Ping(ACCEPT)    all     all     icmp    8

#ACCESS RULE FOR HN SSH
ACCEPT      net     fw      tcp ssh
#ACCES RULE FOR HN FUNC
ACCEPT      net     fw      tcp 51234
#ACCES RULE FOR HN ZABBIX AGENT
ACCEPT      net     fw      tcp 10050

#ACCESS RULE EXAMPLE FOR VENET VM (allowing all traffic to VM)
#ACCEPT     net     venet:192.168.100.50    all

#HN PORT FORWARDING RULE EXAMPLE FOR VENET VM
#DNAT       net     venet:192.168.100.50:80 tcp 8000

#ACCESS RULE EXAMPLE FOR BRIDGED VETH OR KVM VM
#ACCEPT     net     loc:192.168.100.50  all
--- MODIFY ---
/etc/shorewall/shorewall.conf
nano -w /etc/shorewall/shorewall.conf
--- MODIFY ---
STARTUP_ENABLED=Yes
--- MODIFY ---
Initialize firewall service
service shorewall start
chkconfig shorewall on