[pve-devel] RFC : iptables implementation

Alexandre DERUMIER aderumier at odiso.com
Tue Jan 21 03:52:29 CET 2014


Hi,
here an implementation of firewall with iptables, like openstack and cloudstack is doing.

The main idea is to use as much of possible chains feature of iptables.

First, we create 2 chains by tap interface, for incoming and outgoing packets.

(In my example, tap110i0-out and tap110i0-in).

Secondly, we create group of rules, which openstack/cloudstack/amazon ec2 are calling "security group"

Then, we apply theses security group to tap110i0-out or tap110i0-in. (incoming rules / outgoing rules)

This model have a lot of advantages:


- you can defined rules (chain names up to 28characters), and reuse them for differents vms
-you can apply rules on vms or group
- if you need to change a chain/security group, you can simply flush the chain (iptables -F chain) before reapply rules,
  without need to regenerate/"compile" all rules
-they are not relation with bridge, only tap interfaces, so you can move a interface from a bridge to another bridge without breaking rules.
-it's possible to do security groups with mac address of vms, and allow ports opening from a group to another group.
-it's possible enable/disable firewall log for each vm separatly 
-No need to maintain shorewall config files,compile rules,... 
  we can simply generate chains in live by security group are created/modified, or edit tap chain when group are apply/remove to a tap interface.

what do you think about it ?



iptables -F
iptables -X

iptables -N tap110i0-out
iptables -N tap110i0-in
#out
iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-in tap110i0 -j tap110i0-out
#in
iptables -A FORWARD -m physdev --physdev-is-bridged --physdev-out tap110i0 -j tap110i0-in


#create security groups samples
iptables -N security1
iptables -N security2
iptables -N security3
iptables -N security4
iptables -N security5

#security1 : mac address from vm1 + ssh allowed from group4 + external ip
iptables -A security1 -m mac --mac-source 1e:0b:85:27:8d:65 -j ACCEPT
iptables -A security1 -p tcp --dport 22 -j security4  #allow ssh access to security group4
iptables -A security1 -p tcp --dport 22 --src 192.168.100.55 -j ACCEPT
iptables -A security1 -j RETURN

#security2 : simple ssh rules
iptables -A security2 -p tcp --dport 22  -j ACCEPT

#security3 : group with mac address from vm3 && vm4 + ssh open for security group2
iptables -A security3 -m mac --mac-source ab:ab:ab:ab:ab:ab -j ACCEPT
iptables -A security3 -m mac --mac-source cd:cd:cd:cd:cd:cd -j ACCEPT
iptables -A security3 -p tcp --dport 22 -j security2 
iptables -A security3 -j RETURN

#security4 : group with macaddress from vm2
iptables -A security4 -m mac --mac-source 32:36:8a:e1:b5:65 -j ACCEPT
iptables -A security4 -j RETURN

#security5 : web http 80
iptables -A security5 -p tcp --dport 80  -j ACCEPT


#out rules for tap110i0
iptables -A tap110i0-out -j ACCEPT
#fixme: add antispoofing rules 
#in rules for tap110i0
iptables -A tap110i0-in -m state --state INVALID -j DROP
iptables -A tap110i0-in -m state --state RELATED,ESTABLISHED -j RETURN
iptables -A tap110i0-in -j security1
iptables -A tap110i0-in -j security5
iptables -A tap110i0-in -j LOG --log-prefix "tap110i0in-dropped: " --log-level 4
iptables -A tap110i0-in -j DROP



More information about the pve-devel mailing list