iptables in a Ubuntu OpenVZ container
Category : How-to
If you need a software firewall to shield containers on a Proxmox stack, you should always use a firewall on the host to decide what traffic is allowed for each container. This brings some obvious benefits such as it’s centrally managed – one configuration location for all containers on the node, and security as a compromised container cannot change firewall settings.
However, in Proxmox 3.0+ you can use iptables in a container which also has it’s own benefits under certain circumstances. For example, you can test firewall rules for a new development container without risking other containers on the same host, and you don’t need to give people access to the host to modify the rules.
I have tried iptables using a Ubuntu 12.04 container template. It works as expected but requires some setup on both the guest container and the Proxmox host.
Setup
Proxmox – steps to perform on the Proxmox host
You will need to enable containers access to the required kernel modules. To do this, edit the vz config file:
vi /etc/vz/vz.conf
And edit the IPTABLES= line as below.
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state"
Make sure the required modules are loaded by running the following in a console window as root:
modprobe xt_state modprobe xt_tcpudp modprobe ip_conntrack
Container – steps to perform in the Ubuntu container
First, you need a console window in the host. Either use the GUI console window or use vzctl enter [VMID] to login to the container.
Install iptables using apt-get.
apt-get install iptables
Any changes you make to iptables, such as adding new rules, will be lost each time the service is restarted. This is obviously not ideal as all the rules will be lost every time the container reboots. To get round this we need to add a script to save the rules each time the network interface goes down, and one to load the rules when the interface starts up.
Create an iptables script to run when the network is started:
vi /etc/network/if-pre-up.d/iptables
And add the below script to load the rules into iptables:
#!/bin/sh iptables-restore < /etc/iptables.rules exit 0
And when the network goes down:
vi /etc/network/if-post-down.d/iptables
To save the rules:
#!/bin/sh iptables-save -c > /etc/iptables.rules exit 0
After your network is restarted, the current rules will be saved to /etc/iptables.rules. To add new rules, you can edit this file directly and load the settings or you can use the iptables commands to create the rules you require. More about that in my iptables cheat sheet.