• The package iptables must be installed in the hosts.

In OpenNebula 3.0, this functionality was provided through a hook, and it wasn't effective after a migration. Since OpenNebula 3.2 this limitation does not apply.

• The sudoers file must be configured so oneadmin can execute iptables in the hosts.

This Virtual Machine Network Manager driver can be used individually, or combined with the isolation features of either 802.1Q or ebtables. However it's not currently supported with the ovswitch drivers, they provide their own filtering mechanism.

To enable firewalling without any network isolation features, use fw as the Virtual Network Manager driver parameter when the hosts are created with the onehost command:

<xterm> $ onehost create host01 -i kvm -v kvm -n fw </xterm>

The firewall driver is automatically enabled when any of the previously mentioned drivers are used, additional configuration is not required.

The firewall directives must be placed in the network section of the Virtual Machine template. These are the possible attributes:

• WHITE_PORTS_TCP = iptables_range: Permits access to the VM only through the specified ports in the TCP protocol. Supersedes BLACK_PORTS_TCP if defined.
• BLACK_PORTS_TCP = iptables_range: Doesn't permit access to the VM through the specified ports in the TCP protocol. Superseded by WHITE_PORTS_TCP if defined.
• WHITE_PORTS_UDP = iptables_range: Permits access to the VM only through the specified ports in the UDP protocol. Supersedes BLACK_PORTS_UDP if defined.
• BLACK_PORTS_UDP = iptables_range: Doesn't permit access to the VM through the specified ports in the UDP protocol. Superseded by WHITE_PORTS_UDP if defined.
• ICMP = drop: Blocks ICMP connections to the VM. By default it's set to accept.

iptables_range: a list of ports separated by commas or ranges separated by semicolons, e.g.: 22,80,5900:6000

Example:

NIC = [ NETWORK_ID = 3, WHITE_PORTS_TCP = "80, 22", ICMP = drop ]

Note that WHITE_PORTS_TCP and BLACK_PORTS_TCP are mutually exclusive. In the event where they're both defined the more restrictive will prevail i.e. WHITE_PORTS_TCP. The same happens with WHITE_PORTS_UDP and BLACK_PORTS_UDP.

This section lists the IPTABLES rules that are created for each possible configuration:

TCP_WHITE_PORTS and UDP_WHITE_PORTS

# Create a new chain for each network interface
-A FORWARD -m physdev --physdev-out <tap_device> -j one-<vm_id>-<net_id>
# Accept already established connections
-A one-<vm_id>-<net_id> -p <protocol> -m state --state ESTABLISHED -j ACCEPT
# Accept the specified <iprange>
-A one-<vm_id>-<net_id> -p <protocol> -m multiport --dports <iprange> -j ACCEPT
# Drop everything else
-A one-<vm_id>-<net_id> -p <protocol> -j DROP

TCP_BLACK_PORTS and UDP_BLACK_PORTS

# Create a new chain for each network interface
-A FORWARD -m physdev --physdev-out <tap_device> -j one-<vm_id>-<net_id>
# Drop traffic directed to the iprange ports
-A one-<vm_id>-<net_id> -p <protocol> -m multiport --dports <iprange> -j DROP

ICMP DROP

# Create a new chain for each network interface
-A FORWARD -m physdev --physdev-out <tap_device> -j one-<vm_id>-<net_id>
# Accept already established ICMP connections
-A one-<vm_id>-<net_id> -p icmp -m state --state ESTABLISHED -j ACCEPT
# Drop new ICMP connections
-A one-<vm_id>-<net_id> -p icmp -j DROP

These rules will be removed once the VM is shut down or destroyed.