Proxmox VE and Shorewall
Proxmox VE does not come with a firewall by default there are several solutions to this problem but the most flexible and robust is integrating the Shorewall firewall. This document assumes a basic knowledge of the Shorewall program and will not cover all of Shorewall capabilities but will give you a good working model to get you started. For more advanced topics check out the Shorewall documentation.
Shorewall will have 3 zones: 1) the fw zone which is the Proxmox host, 2) the net zone which is the Internet and 3) the dmz zone which is where the virtual machines will reside. The hardware just has one network interface card; vmbr0 is a just a bridge interface.
Note: Want to use Shorewall with stock OpenVZ? Tom Eastep (the Shorewall author) has written an article on the subject that you can find here: Shorewall and OpenVZ.
Network Layout and Shorewall Overview
We will be using proxy arp configuration on the Proxmox host.
A basic Proxmox network configuration looks similar to this:
auto eth0 iface eth0 inet static address 192.0.2.10 netmask 255.255.255.0 gateway 192.0.2.1 auto vmbr0 iface vmbr0 inet static address 10.1.1.1 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0
Proxmox comes by default setup in in a bridged configuration. eth0 is bridged with vmbr0, this will not work for our purposes so we break the bridge and use proxy ARP. Bridging can be made to work but is less flexible. You can define policies with a routed proxy ARP setup; with a bridge you can not. Proxy ARP is a way to expose addresses connected to a private network to the public network. In our case we want to expose our public IP's that are attached to the virtual interface vmbr0. By using private IP space on vmbr0 we also can assign private IP's to our virtual machines if needed.
apt-get install shorewall
Will install all the needed Shorewall components on your Proxmox host node. As of this writing Shorewall 4.0.15 is installed. The configuration files for Shorewall are stored in the /etc/shorewall/ directory. To get started copy an example configuration from the ones installed with the Shorewall package.
cp /usr/share/doc/shorewall-common/default-config/* /etc/shorewall/ cp /usr/share/doc/shorewall-common/examples/two-interfaces/* /etc/shorewall/
This will give you a good base to begin customizing the firewall to meet your needs.
First thing is to edit the shorewall.conf file. You want to enable IP forwarding. Change it from Keep to On.
Next edit the interfaces file:
net eth0 detect tcpflags,routefilter,nosmurfs,logmartians dmz venet0 detect routeback dmz vmbr0 detect routeback,bridge
This file just tells Shorewall what interfaces are connected to what zones. This also allows you to make policies based where traffic is traveling to or from. The policy file is where you define what those policies are. In this article the following polices will be defined.
Traffic from the firewall:
- To the Internet is permitted
- From the Internet is prohibited
- To the DMZ is permitted
- From the DMZ is prohibited
Traffic from the DMZ:
- To the Internet is permitted
- To the firewall is prohibited
# From Firewall Policy $FW net ACCEPT $FW dmz ACCEPT # From DMZ Policy dmz net ACCEPT dmz $FW DROP info 1/sec:2 # From Net Policy net $FW DROP info 1/sec:2 net dmz DROP info 8/sec:30 # THE FOLLOWING POLICY MUST BE LAST all all REJECT info
Next we need to define rules. Rules are the exceptions to the policies defined above. We are just going to create a very basic set. You can easily expand on these on your own.
# Accept SSH connections for administration # SSH/ACCEPT net $FW SSH/ACCEPT net dmz # Permit access to Proxmox Manager and Console ACCEPT net $FW tcp 5900:5999 HTTPS/ACCEPT net $FW HTTP/ACCEPT net $FW # # Allow Ping # Ping/ACCEPT dmz $FW Ping/ACCEPT net dmz Ping/ACCEPT net $FW ACCEPT $FW dmz icmp ACCEPT $FW net icmp # # VMID: 101 # Name: test.example.com # IP: 192.0.2.11 # HTTP/ACCEPT net dmz:192.0.2.11
This set of rules allows SSH and Ping to work from the net zone. The last part of the file shows a web server running at 192.0.2.11. The syntax is the same for both KVM or an OpenVZ container.
The next file to edit is the proxyarp file. The proxyarp must contain all the IP's of the KVM machines running on the host node. The syntax for the file looks like this:
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 192.0.2.11 vmbr0 eth0 no yes #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The Shorewall documentation explains what this file is and why you need it. To read more about it visit the Shorewall Site
The last file to edit is the masq file. The masq file contains the information for setting up masquerading or SNAT. This allows you to assign private IP's to virtual machines and have them still access the Internet. The syntax of the file looks like this:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 10.1.1.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
The file above says to NAT all address in 10.1.1.0/24 to whatever address eth0 has. In this example a virtual machine with an IP of 10.1.1.2 can be created in Proxmox and access the Internet. You can also add a rule to your rules file to access services running on that host using DNAT. From the Shorewall documentation
The general form of a simple port forwarding rule in /etc/shorewall/rules is:
#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net loc:
So to allow a web server running on 10.1.1.2 the rule would look like this:
#ACTION SOURCE DEST PROTO DEST PORT(S) Web(DNAT) net dmz:10.1.1.2
This example uses a Shorewall macro you can learn more about those on the Shorewall website.
Shorewall is a very powerful configuration tool. This document just gives a very basic overview of what can be done with Shorewall and how to integrate it with Proxmox. Two helpful commands when dealing with changing your firewall configuration are shorewall check and shorewall try /etc/shorewall 60. The first command checks the basic syntax of the files and makes sure that you don't have any obvious typos. The second command will run try out the firewall configuration for 60 seconds so that you can test your changes with out accidentally messing something up for more than 60 seconds.
Hopefully this gives a good overview of using Shorewall with Proxmox if you have questions leave me a comment.
Linux Systems Administrator
Rocky Mountain College