Russian version
Add to Del.icio.us
English version
Digg It!

 Old-School dkLab | Constructor | dklab vzfirewall: simple firewall management for OpenVZ 

Site map :: Project Orphus :: Constructor


2010-03-16
Discuss at the Forum

You may help to develop and improve this library at GitHub

vzfirewall: an extremely simple tool to configure opened ports
            and hosts for incoming connections in OpenVZ environment
(C) dkLab, http://en.dklab.ru/lib/dklab_vzfirewall/


Vzfirewall tool allows you to open/close ports for incoming connections
with no dependencies to foreign IP addresses. E.g. you may allow a hostname
release.prod.example.com to connect to port 5432 of VE 1234 and leave all
other ports closed by modifying 1234.conf file adding multiline FIREWALL
directive into it - see SYNOPSIS below.

You must then run vzfirewall -a on your hardware node to apply changes
made in *.conf.

Note that it is recommended to use hostnames instead of IP addresses here,
so the configuration is persistent for VE movements to different IP-address:
you just need to run vzfirewall -a again after movement. It is also
reboot-safe, because applied to /etc/sysconfig/iptables (at RHEL systems).

INSTALLATION

cd /usr/sbin wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vzfirewall chmod +x vzfirewall # Optional: vps.premount action script to ensure vzfirewall is run # (handy when you vzmigrate containers) cd /etc/vz/conf (test -f vps.premount && echo "vps.premount exists, manual integration required") || ( \ wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vps.premount; \ chmod +x vps.premount )

SYNOPSIS

1. Modify the file e.g. /etc/vz/conf/4.conf (note that the whole FIREWALL directive is prefixed by "#" character, because else OpenVZ issues warnings about multi-line directives which are not supported): ... #FIREWALL=" # host.allowed.to.every.port # yet.another.host # * # means "any host" # # [25] # host.allowed.to.access.smtp # * # means "any" # # [80,443] # hosts.allowed.to.access.two.ports # # [udp:53] # * # # [CUSTOM] # # You may use "$THIS" macro which is replaced by this machine IP # # (and, if the machine has many IPs, it will be multiplicated). # -A INPUT -i eth2 -d $THIS -j ACCEPT # # Or you may use commands with no references to $THIS (only # # such commands are allowed for 0.conf file). # -A INPUT -i eth1 -j ACCEPT #" ... We use FIREWALL directive in plain VE configs, not in separate files, to allow to vzmigrate it easily from one node to another. Note the "#" characters again. 2. Run: # vzfirewall -a - to apply rules # vzfirewall -t - to test rules with no application # vzfirewall -h -v - vzfirewall documentation




Dmitry Koterov, Dk lab. ©1999-2014
GZip
Add to Del.icio.us   Digg It!   Reddit