[pve-devel] Firewalling Proxmox with Shorewall

Loiseleur Michel michel at loiseleur.com
Wed Aug 1 22:31:54 CEST 2012


I finally manage to have something which seems to be a working setup 
with Shorewall. I am able to filter within, with or without on a simple 
bridged ipv4 network. Here are the necessary steps:

0) Preliminary steps
  a) apt-get install shorewall.
  b) set IP_FORWARDING=On in /etc/shorewall/shorewall.conf
  c) set sysctl parameter allowing netfilter for bridge (in 
/etc/sysctl.d/pve.conf or with sysctl cli)
net.bridge.bridge-nf-call-iptables = 1

1) You need to define your /etc/shorewall/interfaces. With one bridge on 
one interface, it will look like:
world       vmbr0           detect              bridge
net           eth0
dmz         vmbr0:tap+

2) You need to define more precisely the range of your vms. It can be 
done in /etc/shorewall/hosts:
#ZONE    HOST(S)                    OPTIONS
dmz         vmbr0:

3) and help shorewall understand your bridge in /etc/shorewall/zones:
#ZONE        TYPE    OPTIONS            IN OPT           OUT OPT
fw                firewall
world           ipv4
net               ipv4
dmz:world    bport

4) You can then start to define your global policy, in 
/etc/shorewall/policy ("info" loglevel is quite handy when trying to 
understand what's going and can be removed later)
# Internet Connections
dmz        net        ACCEPT
# Allow FW to use internet
$FW        world        ACCEPT
net        all        DROP        info
all        all        REJECT        info

5) And a simple rules file, in /etc/shorewall/rules, allowing dns, ssh, 
proxmox and ping between vms but not outside:
#ACTION        SOURCE        DEST        PROTO    DEST  PORT ...

#  Accept DNS connections from the firewall to the network
DNS(ACCEPT)    dmz        $FW        udp    67

#    Accept SSH connections
SSH(ACCEPT)    net          $FW
SSH(ACCEPT)    dmz        $FW
SSH(ACCEPT)    world       $FW

# Permit access to Proxmox Manager and Console
ACCEPT        dmz        $FW        tcp    5900:5999
HTTPS(ACCEPT)    dmz        $FW        tcp    443,8006
HTTP(ACCEPT)    dmz        $FW

# Allow Ping only within the local vm network
Ping(ACCEPT)    dmz        dmz

There are two key points in this setup. First is to specify the link 
between your interfaces (vmbr0:tap+) and your zones (dmz:world). Second 
one is to define more precisely internal range of the bridge, in hosts 
file. If you do not, shorewall won't be able to distinguish your vm 
network from the internet.

Now that I hope to have gained my "you're not anymore a complete noob in 
shorewall networking" medal, maybe I would be able to see what can I do 
about multiple bridges. It seems there's a start of answer here:

According to this page, one should be able to use a logical name in 
order to workaround uniqueness on port name.

Michel Loiseleur

More information about the pve-devel mailing list