Proxmox VE Firewall
Proxmox VE version 1.1 does not ship with a firewall. This is a bad thing for a production server for obvious reasons. Proxmox VE 2.0 is supposed to ship with firewall support built in. Until that time here is an easy script that you can put on your Proxmox VE box to protect it and the virtual machines running on it, if you so choose. This is based off of http://wiki.openvz.org/Setting_up_an_iptables_firewall but works with KVM machines and tailored to a Proxmox install.
Installation and Usage
The firewall system consists of three parts. The fist part is the script that does the actual heavy lifting; writing the iptables rules. The second part is a configuration file that defines the firewall that should be applied to the host node. The last part are configuration files for the virtual machines running on the host. The virtual machine configuration files are optional, the script defaults to letting all connections through for virtual hosts if there is no configuration file for them. This allows the firewall to be taken care of on the virtual machine itself.
To install the script copy firewall.sh to /etc/init.d/ make it executable (chmod +x) and then issue:
update-rc.d firewall.sh defaults 21 22
This will make the script start on boot.
Next you need to make the directory to store your firewall configurations. Issue:
Then copy the hostnode.conf file to that location. You will want to edit that file to suit your environment. This file is largely self documenting so I won't go into how to use it, other to mention that the DMZS parameter is a listing of IP's that you want to have unlimited access to the host. I put my personal workstation into the DMZ zone so that I don't have to worry about ever locking myself out.
You can also copy the 101.fw file to the /etc/firewall.d/ directory. This makes generates a firewall for the virtual machine with an ID of 101. The file format is similar to the hostnode.conf file. If there is no configuration file for the virtual machine given the firewall left completely open and assumed to be taken care of on the virtual machine itself.
These scripts are not as tightly integrated into Proxmox VE as I would like so some problems do crop up. If you are not running Proxmox VE in a clustered environment the main problem is that when ever you create a new machine you need to execute a
to allow the new machine to access the network. In a clustered environment a few more issue pop up. When ever a machine is migrated the firewall will not follow so the firewall configuration file must be moved separately and then a
must be issued. If the migrated machine does not have a configuration file a
still must be issued. These issues are in addition to the issue the one that effects a non-clustered Proxmox VE install.
This is working stop gap measure. It will offer protection to your servers and works fairly well. If you have questions or suggestions leave them in the comments.
Note: I've also done a full review of the Proxmox Virtual Environment if you haven't seen it already. See: Review: Proxmox VE