[pve-devel] [PATCH 0/3] Patch to add forward chain control in pve-firewall

Flavius Bindea flav at flav.com
Sun May 10 16:39:19 CEST 2015


Example:
the host has several internal bridges:
* vmbr0: x.x.x.x that contains eth0
* vmbr1: 10.1.1.0/24 : this bridge has the "front" VMs
* vmbr2: 10.1.2.0/24 : this bridge has the "back" VMs

vmbr1 and vmbr2 are not connected on an external switch

I use kvm guests.

*guests in vmbr1 are allowed to receive external traffic only on port 80
*guests in vmbr2 are allowed only to receive only traffic on mysql
port from 10.1.1.0/24

set FORWARDING policy to REJECT or DROP
add rules:
* chain FORWARD from any to 10.1.1.0/24 port tcp/80 accept
* chain FORWARD from 10.1.1.0/25 to 10.1.2.0/24 port tcp/3306 accept

Also with my other patch (negate) you can add rule like:
*allow servers in 10.1.1.0/24 to connect to external world on any port
but not to internal networks:
to do this you have to:
*create ipset "internal" containing 10.1.1.0/24 and 10.1.2.0/24
*add rule chain FORWARD from any to ! "internal" accept

On this patch you maybe would like to change where the new
"PVEFW-HOST-FORWARD" is placed.

Regards,
Flav




2015-05-10 7:26 GMT+02:00 Dietmar Maurer <dietmar at proxmox.com>:
>> This is very usefull if someone wants to have gusts in different subnets (on
>> different vlans) and add a firewall between the subnets.
>
> Why is it usefull? Please can you be more specific, maybe giving an example?
>



More information about the pve-devel mailing list