Configuring Firewalls for VMs 3.0
This hook installs iptables rules in the physical host executing the VM. This hook can be used to filter (and enforce) TCP and UDP ports, and to define a policy for ICMP connections, without any additional modification to the guest VMs.
iptables
package installed in the worker nodes.Since this functionality is provided through a hook it won't be effective after a migration since the hook won't be triggered again in the target host.
sudoers
configured so oneadmin
can execute iptables
in the Hosts.
The firewall is disabled by default, to enable it edit oned.conf
and uncomment the following snippet:
VM_HOOK = [ name = "firewall-on", on = "RUNNING", command = "vnm/firewall", arguments = "on $TEMPLATE", remote = "yes" ] VM_HOOK = [ name = "firewall-off", on = "DONE", command = "vnm/firewall", arguments = "off $TEMPLATE", remote = "yes" ]
The firewall directives must be placed in the network section of the Virtual Machine. These are the possible attributes:
iptables_range
: Permits access to the VM only through the specified ports in the TCP protocol. Supersedes BLACK_PORTS_TCP if defined.iptables_range
: Doesn't permit access to the VM through the specified ports in the TCP protocol. Superseded by WHITE_PORTS_TCP if defined.iptables_range
: Permits access to the VM only through the specified ports in the UDP protocol. Supersedes BLACK_PORTS_UDP if defined.iptables_range
: Doesn't permit access to the VM through the specified ports in the UDP protocol. Superseded by WHITE_PORTS_UDP if defined.
iptables_range
: a list of ports separated by commas or a ranges separated by semicolons, e.g.: 22,80,5900:6000
Example:
<xterm> NIC = [ NETWORK_ID = 3, WHITE_PORTS_TCP = “80, 22”, ICMP = drop ] </xterm>
Note that WHITE_PORTS_TCP and BLACK_PORTS_TCP are mutually exclusive. In the event where they're both defined the more restrictive will prevail i.e. WHITE_PORTS_TCP. The same happens with WHITE_PORTS_UDP and BLACK_PORTS_UDP.
This section lists the IPTABLES rules that are created for each possible configuration:
TCP_WHITE_PORTS and UDP_WHITE_PORTS
# Create a new chain for each network interface -A FORWARD -m physdev --physdev-out <tap_device> -j one-<vm_id>-<net_id> # Accept already established connections -A one-<vm_id>-<net_id> -p <protocol> -m state --state ESTABLISHED -j ACCEPT # Accept the specified <iprange> -A one-<vm_id>-<net_id> -p <protocol> -m multiport --dports <iprange> -j ACCEPT # Drop everything else -A one-<vm_id>-<net_id> -p <protocol> -j DROP
TCP_BLACK_PORTS and UDP_BLACK_PORTS
# Create a new chain for each network interface -A FORWARD -m physdev --physdev-out <tap_device> -j one-<vm_id>-<net_id> # Drop traffic directed to the iprange ports -A one-<vm_id>-<net_id> -p <protocol> -m multiport --dports <iprange> -j DROP
ICMP DROP
# Create a new chain for each network interface -A FORWARD -m physdev --physdev-out <tap_device> -j one-<vm_id>-<net_id> # Accept already established ICMP connections -A one-<vm_id>-<net_id> -p icmp -m state --state ESTABLISHED -j ACCEPT # Drop new ICMP connections -A one-<vm_id>-<net_id> -p icmp -j DROP
These rules will be removed once the VM is cancelled, shutdown or deleted.