OpenVZ Iptables: Allow Traffic To Pass Via venet0 To All VPS

in Categories , , , , , , last updated May 6, 2017

How do I configure IPTABLES to pass all traffic to my VPS (container) under hardware node?

venet0 is recommend networking for security and performance under OpenVZ Virtualization. Protecting hardware node is important from unauthorized access. venet0 is used to communicate between VPS and the LAN / Internet.

Hardware Node - eth0
|           |           |
vps1      vps2           vps3

Allow All Traffic To VPS

Following iptables rules allows to pass all traffic between hardware node and all vps / containers. Services running on hardware node such as ssh, http, webmin can only accessed within our LAN and not over the Internet.

# Explains how to setup iptables on the hardware node to allow selective access, 
# but allow all traffic into the containers (VPS) so they may define their own iptables rules and 
# therefore manage their own firewall.
# Author: Vivek Gite < >
# See tutorial :
# This script is under GPL v2.0 or above.
# --------------------------------------------------------------------------------------------------
### ******************************************************************************* ###
### Part 1 - Protect Hardware Node						    ###
### ******************************************************************************* ###
### HW Node Main IP ranges ###
### Path to other scripts ###
[ -f /root/fw/blocked.ip.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/fw/blocked.ip.txt)
### Interfaces ###
PUB_IF="eth0"   # public interface
LO_IF="lo"      # loopback
### start firewall ###
echo "Starting Firewall..."
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
# Enable ip_conntrack
$MOP ip_conntrack
# DROP and close everything all incomming traffic
# Unlimited lo access
# Allow Full Outgoing connection but no incomming stuff by default
# Drop bad stuff
# get all bad spam / scrap ips
if [ -f /root/fw/blocked.ip.txt ];
	$IPT -N spamlist
	for ipblock in $BADIPS
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPAM List Block"
		 $IPT -A spamlist -i ${PUB_IF} -s $ipblock -j DROP
	$IPT -I INPUT -j spamlist
	$IPT -I OUTPUT -j spamlist
	$IPT -I FORWARD -j spamlist
$IPT -N spooflist
for ipblock in $SPOOFIP
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPOOF List Block"
 $IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist
# Stop sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Stop Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
# Stop NULL packets
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Stop XMAS
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Stop FIN packet scans
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Get rid of broadcast
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP
$IPT  -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
# allow SSH, HTTP, HTTPD and webmin ONlY from $ADMIN_RANGES
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 22 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 10000 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 443 -j ACCEPT
# Allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec  -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 3 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 5 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF}  -p icmp -m icmp --icmp-type 11 -m limit --limit 30/sec -j ACCEPT
### ******************************************************************************* ###
### Part 1 - Protect Hardware Node END						    ###
### ******************************************************************************* ###
### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config						    ###
### ******************************************************************************* ###
# Allow all ports for all VPS i.e. full access
# user can set their own firewall inside vps
### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config END						    ###
### ******************************************************************************* ###
# drop and log everything else
$IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG
$IPT -A INPUT -j REJECT --reject-with icmp-port-unreachable
exit 0

Install this script at /root/fw/firewall:
# chmod +x /root/fw/firewall
Call it from /etc/rc.local
# echo '/root/fw/firewall' >> /etc/rc.local

This entry is 4 of 5 in the RHEL / CentOS Linux OpenVZ Virtualization Tutorial series. Keep reading the rest of the series:
  1. How To Setup OpenVZ under RHEL / CentOS Linux
  2. CentOS Linux Install OpenVZ Virtualization Software
  3. How To Create OpenVZ Virtual Machines (VPS)
  4. OpenVZ Iptables: Allow Traffic To Pass Via venet0 To All VPS
  5. OpenVZ Virtual Machine (VPS) Management

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Share this on (or read 7 comments/add one below):

7 comment

  1. Oh, one more tiny thing… the preferred term now is container rather than VPS or VE… although you will still see VPS and VE used in some of the older documentation.

  2. I am getting an error at line 71 of the script
    here is the error:
    line 71: syntax error near unexpected token ‘done’
    line 71: ‘done’

    Please help

  3. Change line 71 from ‘done’ to ‘fi’

    It should be noted that a default policy of reject is bad news if your server is being accessed remotely. If you flush your rules or mess up the ADMIN_RANGES then you will be completely locked out. I created the following test script to make sure that doesn’t happen:


    shutdown -r +5 &

    while true; do
    read -p “Cancel Shutdown?” yn
    case $yn in
    [Yy]* ) shutdown -c; break;;
    * ) exit 0;;

    The script will automatically reboot the server if you don’t press ‘y’ within 5 minutes.

    1. Also don’t link rc.local directly to your script or it will lock you out upon reboot. Instead copy the script over when satisfied or add cp -a /etc/fw/firewall /etc/fw/firewall.rc after the reboot -c

  4. Hi, and thanks for sharing your firewall.
    One question :
    # allow SSH, HTTP, HTTPD and webmin ONlY from $ADMIN_RANGES
    $IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 22 -j ACCEPT
    $IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 10000 -j ACCEPT
    $IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 80 -j ACCEPT
    $IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp –destination-port 443 -j ACCEPT

    If I understand well, all trafic from IP in ADMIN_RANGES are allowed.
    But how can I do, if I have not static IP ?
    How can I do, I want to be possible to connect in SSH and port 80 from everywhere.

    Have a question? Post it on our forum!