OpenVZ Forum


Home » General » Support » configure iptables on VZ7 host (unable to configure rules on ovz7 node)
configure iptables on VZ7 host [message #52948] Sun, 03 September 2017 10:04 Go to next message
mangust is currently offline  mangust
Messages: 39
Registered: April 2008
Location: USA
Member
Hi,

I have some interfaces on external network with other machines plugged in there. I want to give some containers public IPs

Interfaces got automatic local IPv6 and able to communicate with any neighbours and maybe beyond.

17: bond0.798@bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vzbr798 state UP qlen 1000
link/ether b8:ca:3a:6a:0f:d4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::baca:3aff:fe6a:fd4/64 scope link
valid_lft forever preferred_lft forever
18: vzbr798: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether b8:ca:3a:6a:0f:d4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::baca:3aff:fe6a:fd4/64 scope link
valid_lft forever preferred_lft forever

I want to protect my node with firewall and disable all IPv6 traffic:

ip6tables -F
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -t raw -F
ip6tables -t nat -F

ip6tables -X
ip6tables -t nat -X
ip6tables -t mangle -X
ip6tables -t raw -X
ip6tables -t nat -X

ip6tables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP

/usr/libexec/iptables/ip6tables.init save

It help till next reboot. But some default rules appears again. Especially I like:

-A INPUT -j INPUT_ZONES
-A INPUT_ZONES -i vzbr799 -g IN_public
-A INPUT_ZONES -i vzbr798 -g IN_public
-A IN_public -j IN_public_allow
-A IN_public_allow -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

How can I protect hardware nodes?
Maybe configure ip6tables from crontab every minute? Funny isn't it?

Re: configure iptables on VZ7 host [message #52949 is a reply to message #52948] Sun, 03 September 2017 10:48 Go to previous messageGo to next message
mangust is currently offline  mangust
Messages: 39
Registered: April 2008
Location: USA
Member
We did barbarian way this time

cat <<EOT > /root/closeip6.sh
#!/bin/sh

/usr/sbin/ip6tables -P FORWARD DROP
/usr/sbin/ip6tables -P INPUT DROP
/usr/sbin/ip6tables -P OUTPUT DROP

/usr/sbin/ip6tables -F
/usr/sbin/ip6tables -t nat -F
/usr/sbin/ip6tables -t mangle -F
/usr/sbin/ip6tables -t raw -F
/usr/sbin/ip6tables -t nat -F

/usr/sbin/ip6tables -X
/usr/sbin/ip6tables -t nat -X
/usr/sbin/ip6tables -t mangle -X
/usr/sbin/ip6tables -t raw -X
/usr/sbin/ip6tables -t nat -X


EOT

chmod +x /root/closeip6.sh

cat <<EOT > /etc/cron.d/closeip6
@reboot root /root/closeip6.sh
* * * * * root /root/closeip6.sh
EOT

systemctl restart crond

It works, remember last MadMax movie? "Witness me!!!" This is what I feel by controlling firewall this way Smile

Any better way?

[Updated on: Sun, 03 September 2017 10:48]

Report message to a moderator

Re: configure iptables on VZ7 host [message #52974 is a reply to message #52949] Mon, 11 September 2017 09:13 Go to previous message
mangust is currently offline  mangust
Messages: 39
Registered: April 2008
Location: USA
Member
Looks like it was firewalld related. Need just remove it. Not OVZ related. It was Centos 7 new features related.
Previous Topic: Container root disk is not configured
Next Topic: Unable to connect OpenVZ 7 via virsh
Goto Forum:
  


Current Time: Tue Mar 19 05:56:24 GMT 2024

Total time taken to generate the page: 0.02748 seconds