OpenVZ Forum: Support » Setting up a HN-based firewall

Home » General » Support » Setting up a HN-based firewall (Following wiki article, ICMP requests are blocked)

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Setting up a HN-based firewall [message #49437]

Tue, 30 April 2013 18:53

raenk
Messages: 3
Registered: March 2013
Location: Mexico

Junior Member

Hi,

I'm following the article on the wiki for setting up a HN firewall:
openvz.org/Setting_up_an_iptables_firewall

But the script does not consider ICMP thus are being blocked.

I managed to insert rule to accept requests on the HN, but can't figure it out for the containers. I'm sure this is going to be an easy one, but i'm not that good for scripting + iptables.

Here's my the modified script:

#!/bin/sh
# firewall      Start iptables firewall
# chkconfig: 2345 97 87
# description:  Starts, stops and saves iptables firewall
# This script sets up the firewall for the INPUT chain (which is for
# the HN itself) and then processes the config files under
# /etc/firewall.d to set up additional rules in the FORWARD chain
# to allow access to containers' services.
# wiki.openvz.org/Setting_up_an_iptables_firewall

. /etc/init.d/functions

# the IP block allocated to this server
SEGMENT="*.*.*.64/27"
# the IP used by the hosting server itself
THISHOST="*.*.*.210"
# services that should be allowed to the HN;
# services for containers are configured in /etc/firewall.d/*
OKPORTS="1234"
# hosts allowed full access through the firewall,
# to all containers and to this server
DMZS=""

purge() {
  echo -n "Firewall: Purging and allowing all traffic"
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P INPUT ACCEPT
  iptables -F
  success ; echo
}

setup() {
  echo -n "Firewall: Setting default policies to DROP"
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -I INPUT   -j ACCEPT -m state --state ESTABLISHED,RELATED
  iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
  iptables -I INPUT -j ACCEPT -i lo
  iptables -I FORWARD -j ACCEPT --source $SEGMENT
  success ; echo

  echo "Firewall: Allowing access to HN"
  for port in $OKPORTS ; do
    echo -n "          port $port"
    iptables -I INPUT -j ACCEPT -d $THISHOST --protocol tcp --destination-port $port
    iptables -I INPUT -j ACCEPT -d $THISHOST --protocol udp --destination-port $port
    success ; echo
  done
  for ip in $DMZS ; do
    echo -n "          DMZ $ip"
    iptables -I INPUT   -i eth0 -j ACCEPT -s $ip
    iptables -I FORWARD -i eth0 -j ACCEPT -s $ip
    success ; echo
  done

  echo "Firewall: Allowing ICMP incoming and outgoing requests (Ping) for HN"
  iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $THISHOST -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -p icmp --icmp-type 0 -s $THISHOST -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -p icmp --icmp-type 8 -s $THISHOST -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $THISHOST -m state --state ESTABLISHED,RELATED -j ACCEPT
  success ; echo

  CTSETUPS=`echo /etc/firewall.d/*`
  if [ "$CTSETUPS" != "/etc/firewall.d/*" ] ; then
  echo "Firewall: Setting up container firewalls"
  for i in $CTSETUPS ; do
    . $i
    echo -n "$CTNAME CT$CTID"
    if [ -n "$BANNED" ]; then
      for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $CTIP --source $source ; done
    fi
    if [ -n "$OPENPORTS" ]; then
      for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --destination-port $port ; done
      for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --destination-port $port ; done
    fi
    if [ -n "$DMZS" ]; then
      for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --source $source ; done
      for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --source $source ; done
    fi
    [ $? -eq 0 ] && success || failure
    echo
  done
  fi

  echo "Firewall: Allowing ICMP incoming and outgoing requests (Ping) for Containers"
  iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SEGMENT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -p icmp --icmp-type 0 -s $SEGMENT -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A OUTPUT -p icmp --icmp-type 8 -s $SEGMENT -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SEGMENT -m state --state ESTABLISHED,RELATED -j ACCEPT
  success ; echo

}

case "$1" in
  start)
    echo "Starting firewall..."
    purge
    setup
    ;;
  stop)
    echo "Stopping firewall..."
    purge
    ;;
  restart)
    $0 stop
    $0 start
    ;;
  status)
    iptables -n -L
    ;;
  *)
    echo "Usage: $0 <start|stop|restart|status>"
    ;;
esac

Report message to a moderator

Previous Topic:	/vz/root/1/ or /vz/private/1/ disappeared
Next Topic:	ploop questions

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Fri Sep 13 22:25:02 GMT 2024

Total time taken to generate the page: 0.04997 seconds