Old-School dkLab | Constructor | dklab vzfirewall: simple firewall management for OpenVZ
:: Project «Orphus»
Discuss at the Forum
You may help to develop and improve this library at
vzfirewall: an extremely simple tool to configure opened ports
and hosts for incoming connections in OpenVZ environment
(C) dkLab, http://en.dklab.ru/lib/dklab_vzfirewall/
Vzfirewall tool allows you to open/close ports for incoming connections
with no dependencies to foreign IP addresses. E.g. you may allow a hostname
release.prod.example.com to connect to port 5432 of VE 1234 and leave all
other ports closed by modifying 1234.conf file adding multiline FIREWALL
directive into it - see SYNOPSIS below.
You must then run vzfirewall -a on your hardware node to apply changes
made in *.conf.
Note that it is recommended to use hostnames instead of IP addresses here,
so the configuration is persistent for VE movements to different IP-address:
you just need to run vzfirewall -a again after movement. It is also
reboot-safe, because applied to /etc/sysconfig/iptables (at RHEL systems).
chmod +x vzfirewall
# Optional: vps.premount action script to ensure vzfirewall is run
# (handy when you vzmigrate containers)
(test -f vps.premount && echo "vps.premount exists, manual integration required") || ( \
wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vps.premount; \
chmod +x vps.premount )
SYNOPSIS1. Modify the file e.g. /etc/vz/conf/4.conf (note that the whole FIREWALL
directive is prefixed by "#" character, because else OpenVZ issues
warnings about multi-line directives which are not supported):
# * # means "any host"
# * # means "any"
# # You may use "$THIS" macro which is replaced by this machine IP
# # (and, if the machine has many IPs, it will be multiplicated).
# -A INPUT -i eth2 -d $THIS -j ACCEPT
# # Or you may use commands with no references to $THIS (only
# # such commands are allowed for 0.conf file).
# -A INPUT -i eth1 -j ACCEPT
We use FIREWALL directive in plain VE configs, not in separate files,
to allow to vzmigrate it easily from one node to another. Note the "#"
# vzfirewall -a - to apply rules
# vzfirewall -t - to test rules with no application
# vzfirewall -h -v - vzfirewall documentation
Dmitry Koterov, Dk lab. ©1999-2014
Add to Del.icio.us