OpenVZ Iptables: Allow Traffic To Pass Via venet0 To All VPS

by on August 6, 2006 · 7 comments· LAST UPDATED February 20, 2011

in , ,

How do I configure IPTABLES to pass all traffic to my VPS (container) under hardware node?

venet0 is recommend networking for security and performance under OpenVZ Virtualization. Protecting hardware node is important from unauthorized access. venet0 is used to communicate between VPS and the LAN / Internet.

Router
   \\
     \\
Hardware Node - eth0
            //
           //
        venet0
+----------+------------+
|           |           |
vps1      vps2           vps3

Allow All Traffic To VPS

Following iptables rules allows to pass all traffic between hardware node and all vps / containers. Services running on hardware node such as ssh, http, webmin can only accessed within our LAN and not over the Internet.

#!/bin/bash
# Explains how to setup iptables on the hardware node to allow selective access, 
# but allow all traffic into the containers (VPS) so they may define their own iptables rules and 
# therefore manage their own firewall.
# Author: Vivek Gite < http://www.cyberciti.biz/ >
# See tutorial : http://www.cyberciti.biz/faq/series/rhel-centos-openvz-virtualization/
# This script is under GPL v2.0 or above.
# --------------------------------------------------------------------------------------------------
IPT="/sbin/iptables"
MOP="/sbin/modprobe"
SYST="/sbin/sysctl"
 
### ******************************************************************************* ###
### Part 1 - Protect Hardware Node						    ###
### ******************************************************************************* ###
 
### HW Node Main IP ranges ###
SRVIP="123.xx.xx.yy"
ADMIN_RANGES="192.168.1.0/24"
SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"
 
### Path to other scripts ###
[ -f /root/fw/blocked.ip.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/fw/blocked.ip.txt)
 
 
### Interfaces ###
PUB_IF="eth0"   # public interface
LO_IF="lo"      # loopback
VE_IF="venet0"
 
### start firewall ###
echo "Starting Firewall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
 
# Enable ip_conntrack
$MOP ip_conntrack
 
# DROP and close everything all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
 
# Unlimited lo access
$IPT -A INPUT -i ${LO_IF} -j ACCEPT
$IPT -A OUTPUT -o ${LO_IF} -j ACCEPT
 
# Allow Full Outgoing connection but no incomming stuff by default
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Drop bad stuff
# get all bad spam / scrap ips
if [ -f /root/fw/blocked.ip.txt ];
then
	$IPT -N spamlist
	for ipblock in $BADIPS
	do
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPAM List Block"
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j DROP
	done
	$IPT -I INPUT -j spamlist
	$IPT -I OUTPUT -j spamlist
	$IPT -I FORWARD -j spamlist
done
 
$IPT -N spooflist
for ipblock in $SPOOFIP
do
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPOOF List Block"
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist
 
 
# Stop sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
 
# Stop Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
 
# Stop NULL packets
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
# Stop XMAS
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 
# Stop FIN packet scans
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
 
# Get rid of broadcast
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
 
 
# allow SSH, HTTP, HTTPD and webmin ONlY from $ADMIN_RANGES
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 22 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 10000 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 443 -j ACCEPT
 
# Allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec  -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 3 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 5 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 11 -m limit --limit 30/sec -j ACCEPT
 
### ******************************************************************************* ###
### Part 1 - Protect Hardware Node END						    ###
### ******************************************************************************* ###
 
 
 
### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config						    ###
### ******************************************************************************* ###
 
# Allow all ports for all VPS i.e. full access
# user can set their own firewall inside vps
$IPT -P FORWARD ACCEPT
$IPT -F FORWARD
 
### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config END						    ###
### ******************************************************************************* ###
 
 
 
# drop and log everything else
$IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG
$IPT -A INPUT -j REJECT --reject-with icmp-port-unreachable
 
exit 0

Install this script at /root/fw/firewall:
# chmod +x /root/fw/firewall
Call it from /etc/rc.local
# echo '/root/fw/firewall' >> /etc/rc.local

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 7 comments… read them below or add one }

1 Scott Dowdle August 8, 2009 at 7:18 pm

Oh, one more tiny thing… the preferred term now is container rather than VPS or VE… although you will still see VPS and VE used in some of the older documentation.

Reply

2 Scott Dowdle August 8, 2009 at 7:21 pm

But wait, there is more… there is a HOWTO on the CentOS wiki. I wrote it:

http://wiki.centos.org/HowTos/Virtualization/OpenVZ

Reply

3 HD January 3, 2010 at 9:25 am

I am getting an error at line 71 of the script
here is the error:
line 71: syntax error near unexpected token ‘done’
line 71: ‘done’

Please help

Reply

4 Matthew V May 23, 2010 at 3:58 am

Change line 71 from ‘done’ to ‘fi’

It should be noted that a default policy of reject is bad news if your server is being accessed remotely. If you flush your rules or mess up the ADMIN_RANGES then you will be completely locked out. I created the following test script to make sure that doesn’t happen:

#!/bin/sh

shutdown -r +5 &
/etc/fw/firewall

while true; do
read -p “Cancel Shutdown?” yn
case $yn in
[Yy]* ) shutdown -c; break;;
* ) exit 0;;
esac
done

The script will automatically reboot the server if you don’t press ‘y’ within 5 minutes.

Reply

5 Matthew V May 23, 2010 at 4:03 am

Also don’t link rc.local directly to your script or it will lock you out upon reboot. Instead copy the script over when satisfied or add cp -a /etc/fw/firewall /etc/fw/firewall.rc after the reboot -c

Reply

6 pppplus March 20, 2011 at 1:03 pm

Hi, and thanks for sharing your firewall.
One question :
# allow SSH, HTTP, HTTPD and webmin ONlY from $ADMIN_RANGES
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 22 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 10000 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 443 -j ACCEPT

If I understand well, all trafic from IP in ADMIN_RANGES are allowed.
But how can I do, if I have not static IP ?
How can I do, I want to be possible to connect in SSH and port 80 from everywhere.

Reply

7 Francis Lee Mondia October 12, 2012 at 3:23 am

Hi,

Will this work on debian (proxmox box) also?

Reply

Leave a Comment

Tagged as: , , , , , , , ,

Previous Faq:

Next Faq: