Ubuntu – Firewall configuration on Ubuntu KVM host

firewalliptableskvm-virtualizationUbuntu

I have an Ubuntu 9.10 server with KVM virtualization installed on it (I'll call it HOST). It has three VMs running, one with Apache installed (calling it APACHE), one with Mysql installed (calling it MYSQL), and one with Jetty running on port 8080 (JETTY). The host has a bridge configured to provide access to the VMs.

I'd like to run a firewall on the host, but not on each VM. The firewall should block all ports on the host and VMs that aren't necessary. Here's specifically how I'd like to configure it:

HOST should only be able to be connected to via SSH from within it's netblock.
HOST should not have any other ports than SSH open.
APAHCE, MYSQL should be able to be connected to via SSH from anywhere.
MYSQL should be able to be connected to via port 3306 from within the netblock only.
JETTY should be able to be connected to via port 8080 (it is running as a user, so can't run on 80), but traffic to port 80 should be forwarded to 8080 in the firewall as well, so it can appear as a regular http server.

I just recently switched to Ubuntu, so I'm not sure what the best firewall tool is. I've dabbled with iptables on CentOS in the past, but iptables isn't running on my host system. I've seen reference to UWF as the firewall tool for ubuntu? It looks like UWF is installed, but not active.

Any suggestions on how to get this going? What files should I be editing? Are there any good HOWTOs on doing this that I just haven't found?

Best Answer

I think UFW is just a fronted for iptables. Anyway you can play with its graphical frontend.

But I strongly suggest you to learn iptables. Unbuntu official documentation: https://help.ubuntu.com/community/IptablesHowTo

Related Solutions

Libvirt/KVM – How to Forward Ports to Guests

The latest stable release for libvirt for Ubuntu is version 0.7.5, which doesn't have some newer features (i.e. script hooks and network filters) which make automatic network configuration easier. That said, here's how to enable port forwarding for libvirt 0.7.5 on Ubuntu 10.04 Lucid Lynx.

These iptables rules should do the trick:

iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.0.0.1:80
iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 22 -j DNAT --to-destination 10.0.0.2:22
iptables -I FORWARD -m state -d 10.0.0.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

The default KVM NAT config provides a rule similar to the 3rd I gave above, but it omits the NEW state, which is essential for accepting incoming connections.

If you write a startup script to add these rules and you're not careful, libvirt 0.7.5 overrides them by inserting its own. So, in order to make sure these rules are applied properly on startup, you need to make sure libvirt has initialized before you insert your rules.

Add the following lines to /etc/rc.local, before the line exit 0:

(
# Make sure the libvirt has started and has initialized its network.
while [ `ps -e | grep -c libvirtd` -lt 1 ]; do
        sleep 1
done
sleep 10
# Set up custom iptables rules.
iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to-destination 10.0.0.1:80
iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 22 -j DNAT --to-destination 10.0.0.2:22
iptables -I FORWARD -m state -d 10.0.0.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
) &

The sleep 10 above is a hack to make sure the libvirt daemon has had a chance to initialize its iptables rules before we add our own. I can't wait until they release libvirt version 0.8.3 for Ubuntu.

Linux – Proper network configuration for a KVM guest to be on the same networks at the host

why do you need an alias on br1:0? this might be in the way there
besides the alias, the idea is to use the following scheme:
eth0->br0 <--VM's tap device
the host should be able to use br0 as it's IF and the VMs will be using the tap devices as virtual NICs plugged into a virtual switch (which br0 effectively becomes here)

the same goes for every network of course, so for eth1, you'll have to set up an br1, and bring up the VMs to be plugged into br1

Related Topic

Ubuntu – Can ufw on a kvm host restrict traffic to guests