Proxmox VE Firewall

| |

Proxmox VE version 1.1 does not ship with a firewall. This is a bad thing for a production server for obvious reasons. Proxmox VE 2.0 is supposed to ship with firewall support built in. Until that time here is an easy script that you can put on your Proxmox VE box to protect it and the virtual machines running on it, if you so choose. This is based off of but works with KVM machines and tailored to a Proxmox install.

Installation and Usage
The firewall system consists of three parts. The fist part is the script that does the actual heavy lifting; writing the iptables rules. The second part is a configuration file that defines the firewall that should be applied to the host node. The last part are configuration files for the virtual machines running on the host. The virtual machine configuration files are optional, the script defaults to letting all connections through for virtual hosts if there is no configuration file for them. This allows the firewall to be taken care of on the virtual machine itself.

To install the script copy to /etc/init.d/ make it executable (chmod +x) and then issue:

update-rc.d defaults 21 22

This will make the script start on boot.

Next you need to make the directory to store your firewall configurations. Issue:

mkdir /etc/firewall.d/

Then copy the hostnode.conf file to that location. You will want to edit that file to suit your environment. This file is largely self documenting so I won't go into how to use it, other to mention that the DMZS parameter is a listing of IP's that you want to have unlimited access to the host. I put my personal workstation into the DMZ zone so that I don't have to worry about ever locking myself out.

You can also copy the 101.fw file to the /etc/firewall.d/ directory. This makes generates a firewall for the virtual machine with an ID of 101. The file format is similar to the hostnode.conf file. If there is no configuration file for the virtual machine given the firewall left completely open and assumed to be taken care of on the virtual machine itself.

These scripts are not as tightly integrated into Proxmox VE as I would like so some problems do crop up. If you are not running Proxmox VE in a clustered environment the main problem is that when ever you create a new machine you need to execute a

/etc/init.d/ restart

to allow the new machine to access the network. In a clustered environment a few more issue pop up. When ever a machine is migrated the firewall will not follow so the firewall configuration file must be moved separately and then a

/etc/init.d/ restart

must be issued. If the migrated machine does not have a configuration file a

/etc/init.d/ restart

still must be issued. These issues are in addition to the issue the one that effects a non-clustered Proxmox VE install.

This is working stop gap measure. It will offer protection to your servers and works fairly well. If you have questions or suggestions leave them in the comments.

Note: I've also done a full review of the Proxmox Virtual Environment if you haven't seen it already. See: Review: Proxmox VE

101.fw_.txt530 bytes
firewall.sh_.txt3.77 KB
hostnode.conf_.txt329 bytes

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


hello I have a translation port 33891 to my 3389 VIRTUAL MACHINE WHAT IS CHANGING IN THE FILES PLEASE

A little help here please

Okay, running Proxmox 1.4

Everything is great until container #3 at that point all containers get open access. The files used is the exact same only with the new container # and ip address. Any ideas?


FW script

I'm using you're script for about a few months and works great,
but do you have any idea what would be the way to go if my
VM has 3 ip addresses?

FW Scripts

I have never done this but you should be able to just add multiple IP's in the fw config file. So something like this:

# This file is processed by /etc/init.d/firewall
CTID="101" # the container's ID#
CTNAME="" # A human-friendly label for the container
IP_ADDRESS="" # the IP address for this container

TCPPORTS="22 25 80 443 161 162" # TCP ports that should be opened
UDPPORTS="123 161 162" # UPD ports that should be opened

DMZS="" # IPs and blocks that should have full access
# to the container's services
BANNED="" # IPs and blocks that should be entirely
# blocked from the container's services

That would allow multiple IP's however they would all have the same services open. If that is not what you want you could make another .fw file and just call it like 101.supplement.fw and add the rules that you want.

/-\ ndrew

i did notice that the rules

i did notice that the rules of extra ip addresses add added, but
the problem is that first the container with 2 or more ip addresses are first being setup as a container with no firewall, because the ip address line in /etc/vz/conf/xxx.conf has a line with 3 ip addresses separated by spaces and does not match.

so they are wide open.

I am very careful with trying things because it's a live server.

first two work grat then all open

it is working for the first two containers, then nothing after that, they are all open, any idea?

Move VEID.fw into private area?

It has occurred to me that you could move the VEID.fw script into the private area of the VE. This would allow the owner of the container to have autonomous control of their firewall settings and would solve some of the issues with migration since the script would be migrated as well.

The main concern would be that the VE owner could alter the firewall in some undesirable way, but I think that could be prevented with some forethought.

DNAT and Transproxy

I found your scripts very interesting. But could you please provide other template scripts for DNAT and Transproxy for the following classical topology? Supposed that we have only one IP public set to eth1 on a PVE.

PVE(as a Firewall) --(eth0)-- DMZ (some VMs for public access + some VMs for local access)
Local Network

Thank you very much in advance.

Alies, In order to do what


In order to do what you want you would have to hack around quite a bit with these scripts. What I would recommend for you is a real firewall management utility. I really like Shorewall and use it on my OpenVZ boxes but I am sure it will work the same on Proxmox.

Shorewall is a front end for iptables making writing rules a breeze. So give Shorewall a try it will fit the bill nicely for you.

/-\ ndrew

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.