Firewall – Virtual environment firewall with CSF + iptables rules on VM

firewallopenvz

We are getting into virtualization with a Proxmox VE (OpenVZ + KVM) server. Our plan for firewall is to have CSF (http://configserver.com/cp/csf.html) running on the host machine as we've had a reasonable good experience with it in the past.

Apart from that we plan simple firewall rules on the VM machines (mostly OpenVZ containers with same kernel) and maybe fail2ban simple specific rules.

I would appreciate comments with anyone with similar experiences?

I understand all traffic comes via the host machine so a combined firewall there with specific firewalling on the VM should work, alltough some iptables rules are hard to get to work on OpenVZ containers.

Best Answer

My advice is to perform the following on the hardware node:

  1. If your HN has two interfaces, configure them both as bridges (in my case I have vmbr0 and vmbr1)
  2. In the csf.conf, configure your ETH_DEVICE as "vmbr+"

  3. Create a file called csfpost.sh in /etc/csf/ that simply allows forwarding:

    #!/bin/sh 
IPT=/sbin/iptables 
$IPT -F FORWARD
$IPT -P FORWARD ACCEPT

  4. Now your HN is protected on all interfaces, but will transparently pass traffic to and from your containers.

  5. Configure your containers with CSF to keep them protected.

Notes
Make sure the modules needed for CSF are available to your VE's by placing the following in your /etc/vz/vz.conf: 

 IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc ipt_REDIRECT"

Also make sure that your value for "numiptent" value is around 256 or higher, the default or 128 will cause CSF to half-load on your VE's (see /proc/user_bean_counters to see if you're hitting the numiptent limit)

I've also added the above netfilter modules to my /etc/modules (1 per line). I'm not entirely sure if this is necessary. Hope this helps!

Related Topic