Configuring Firewalls for VMs 3.0

This hook installs iptables rules in the physical host executing the VM. This hook can be used to filter (and enforce) TCP and UDP ports, and to define a policy for ICMP connections, without any additional modification to the guest VMs.

inlinetoc

Requirements

  • iptables package installed in the worker nodes.

Considerations & Limitations

Since this functionality is provided through a hook it won't be effective after a migration since the hook won't be triggered again in the target host.

Configuration

External Component Configuration

  • sudoers configured so oneadmin can execute iptables in the Hosts.

OpenNebula Configuration

The firewall is disabled by default, to enable it edit oned.conf and uncomment the following snippet: 

VM_HOOK = [
    name      = "firewall-on",
    on        = "RUNNING",
    command   = "vnm/firewall",
    arguments = "on $TEMPLATE",
    remote    = "yes" ]
 
VM_HOOK = [
    name      = "firewall-off",
    on        = "DONE",
    command   = "vnm/firewall",
    arguments = "off $TEMPLATE",
    remote    = "yes" ]

Usage

The firewall directives must be placed in the network section of the Virtual Machine. These are the possible attributes:

  • WHITE_PORTS_TCP = iptables_range: Permits access to the VM only through the specified ports in the TCP protocol. Supersedes BLACK_PORTS_TCP if defined.
  • BLACK_PORTS_TCP = iptables_range: Doesn't permit access to the VM through the specified ports in the TCP protocol. Superseded by WHITE_PORTS_TCP if defined.
  • WHITE_PORTS_UDP = iptables_range: Permits access to the VM only through the specified ports in the UDP protocol. Supersedes BLACK_PORTS_UDP if defined.
  • BLACK_PORTS_UDP = iptables_range: Doesn't permit access to the VM through the specified ports in the UDP protocol. Superseded by WHITE_PORTS_UDP if defined.
  • ICMP = drop: Blocks ICMP connections to the VM. By default it's set to accept.

iptables_range: a list of ports separated by commas or a ranges separated by semicolons, e.g.: 22,80,5900:6000

Example:

<xterm> NIC = [ NETWORK_ID = 3, WHITE_PORTS_TCP = “80, 22”, ICMP = drop ] </xterm>

Note that WHITE_PORTS_TCP and BLACK_PORTS_TCP are mutually exclusive. In the event where they're both defined the more restrictive will prevail i.e. WHITE_PORTS_TCP. The same happens with WHITE_PORTS_UDP and BLACK_PORTS_UDP.

IPTABLES rules

This section lists the IPTABLES rules that are created for each possible configuration:

TCP_WHITE_PORTS and UDP_WHITE_PORTS 

# Create a new chain for each network interface
-A FORWARD -m physdev --physdev-out <tap_device> -j one-<vm_id>-<net_id>
# Accept already established connections
-A one-<vm_id>-<net_id> -p <protocol> -m state --state ESTABLISHED -j ACCEPT
# Accept the specified <iprange>
-A one-<vm_id>-<net_id> -p <protocol> -m multiport --dports <iprange> -j ACCEPT
# Drop everything else
-A one-<vm_id>-<net_id> -p <protocol> -j DROP

TCP_BLACK_PORTS and UDP_BLACK_PORTS 

# Create a new chain for each network interface
-A FORWARD -m physdev --physdev-out <tap_device> -j one-<vm_id>-<net_id>
# Drop traffic directed to the iprange ports
-A one-<vm_id>-<net_id> -p <protocol> -m multiport --dports <iprange> -j DROP

ICMP DROP 

# Create a new chain for each network interface
-A FORWARD -m physdev --physdev-out <tap_device> -j one-<vm_id>-<net_id>
# Accept already established ICMP connections
-A one-<vm_id>-<net_id> -p icmp -m state --state ESTABLISHED -j ACCEPT
# Drop new ICMP connections
-A one-<vm_id>-<net_id> -p icmp -j DROP

These rules will be removed once the VM is cancelled, shutdown or deleted.