[tclug-list] iptables question

Thu Jul 28 16:49:14 CDT 2011

i have 2 NICs, one connects to a private network, the other the internet.  i'm running openvz.  thus far i have iptables successfully doing MASQ so containers with addresses on the private net can reach the internet (but not vice versa).  and i have iptables successfully opening only certain ports into the host node.  i'm attempting to do the same for the containers, open only certain ports into containers with addresses on the public net.  my script is below.  the 4 iptables commands i was hoping would accomplish that are commented out.  when i uncomment them, they do accomplish the inbound container port filtering, but i can no longer connect from a container with an address on the private net to another box on the private net.  can someone tell me what i need?

# here is the settings file for a container:
# /etc/firewall.d/220:
CTID="220"                      # the container's ID#
CTNAME="rhel6.1 php and mysql"  # A human-friendly description of the container
CTIP="222.222.22.2"             # the IP address for this container 
OPENPORTS="1111"                # ports to be open into this container from anywhere (except banned addresses below)
DMZS=""                         # IPs and blocks that should have full access to the container's services
BANNED=""                       # IPs and blocks that should be entirely blocked from the container's services

# here's the firewall script:

#!/bin/sh
# /etc/init.d/firewall
# chkconfig: 2345 97 87
# description:  This script sets up firewall rules in the INPUT chain (for the HN itself) and then processes config files in /etc/firewall.d
# to setup rules in the FORWARD chain to allow access to containers' services.
# 2011/7/25 gregrwm adapted from /root/iptables and http://wiki.openvz.org/Setting_up_an_iptables_firewall

. /etc/init.d/functions

OPENPORTS="2222"		# ports on the HN open to connections from anywhere
publ=br0			### Public Network
priv=br1			### Private Network

# services for containers are configured in /etc/firewall.d/*
#So create files under /etc/firewall.d  e.g. named ExampleCompany or ve12, and give them content like this:
#CTID="1"			# the container's ID#
#CTNAME="Customer1"		# A human-friendly description of the container
#CTIP="111.111.1.11"		# the IP address for this container 
#OPENPORTS="80 443"		# ports to be open into this container from anywhere (except banned addresses below)
#DMZS="1.2.3.0/24 5.6.7.8/32"	# IPs and blocks that should have full access to the container's services
#BANNED=""			# IPs and blocks that should be entirely blocked from the container's services

setup() {
   echo -n "Firewall: Purging and setting default policies"
   ip6tables -F
   ip6tables -X
   ip6tables -Z
   iptables -F
   iptables -X
   iptables -Z
   iptables -F -t nat
   iptables -X -t nat
   iptables -Z -t nat
   iptables  -P  OUTPUT ACCEPT
   iptables  -P   INPUT DROP
#  iptables  -P FORWARD DROP
   ip6tables -P   INPUT DROP
   ip6tables -P FORWARD DROP
   iptables -A   INPUT -j ACCEPT -i lo		#needed to make postgres happy
#  iptables -A FORWARD -j ACCEPT -i lo		#what would this be for?
   iptables -A   INPUT -j ACCEPT -i $priv	### Private Network
#  iptables -A FORWARD -j ACCEPT -i $priv
   iptables -A   INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
   iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
   success ; echo

   echo "Firewall: Allowing access to HN OPENPORTS from world"
   for port in $OPENPORTS ; do
      echo -n "          port $port"
      iptables -A INPUT -j ACCEPT --protocol tcp --destination-port $port
      iptables -A INPUT -j ACCEPT --protocol udp --destination-port $port
      success ; echo
   done

   i=`echo /etc/firewall.d/*`
   i_null="/etc/firewall.d/*"
   [ "$i" != "$i_null" ]&& for i in $i ;do . $i
      echo -n "Firewall: Setting up container $CTID ($CTNAME)"
      for source in $BANNED  ; do iptables -A FORWARD -j REJECT                --destination $CTIP --source $source ; done
      for source in $DMZS    ; do iptables -A FORWARD -j ACCEPT --protocol tcp --destination $CTIP --source $source ; done
      for source in $DMZS    ; do iptables -A FORWARD -j ACCEPT --protocol udp --destination $CTIP --source $source ; done
      for port in $OPENPORTS ; do iptables -A FORWARD -j ACCEPT --protocol tcp --destination $CTIP --destination-port $port ; done
      for port in $OPENPORTS ; do iptables -A FORWARD -j ACCEPT --protocol udp --destination $CTIP --destination-port $port ; done
      [ $? -eq 0 ] && success || failure
      echo
   done

   # Log (limited) and reject all else, including all ipv6
   iptables  -A   INPUT -m limit --limit 1/hour --limit-burst 3 -j LOG --log-level 6
   iptables  -A FORWARD -m limit --limit 1/hour --limit-burst 3 -j LOG --log-level 6
   ip6tables -A   INPUT -m limit --limit 1/hour --limit-burst 3 -j LOG --log-level 6
   ip6tables -A FORWARD -m limit --limit 1/hour --limit-burst 3 -j LOG --log-level 6
   iptables  -A   INPUT -j REJECT
#  iptables  -A FORWARD -j REJECT
   ip6tables -A   INPUT -j REJECT
   ip6tables -A FORWARD -j REJECT

   #masquerade packets for which we are acting as gateway from the private network.  i don't think this affects public network venet forwards?
   iptables -t nat -A POSTROUTING -o $publ -j MASQUERADE

#  modprobe ip_conntrack_netbios_ns
}

case "$1" in
  start|restart)
    echo "Starting firewall..."
    setup
    ;;
  stop)
    ;;
  status)
    iptables -n -L
    ;;
  *)
    echo "Usage: $0 <start|stop|restart|status>"
    ;;
esac