dklab vzfirewall: easy management of a firewall in OpenVZ

Dklab vzfirewall is a utility for OpenVZ that allows you to configure a firewall without tedious entering iptables rules and without having to link to multiple IP addresses of virtual machines. The main principle of the utility is to be as easy to use as possible. The goal I pursued when creating the utility was to save the system administrator from the headaches associated with configuring iptables; I hope I did it a little bit.

^{Of course, I understand that it may be scary for you to try vzfirewall right away on the production server. Surely forget some ports to open from the right. Therefore, a good moment when it is convenient to “touch” vzfirewall is at the time of installing a new server with OpenVZ (well, or on a dev server). That's when you can turn around.}

Examples

Code Listing 0: Installation

 cd / usr / sbin
 wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vzfirewall
 chmod + x vzfirewall

Code Listing 1: The /etc/sysconfig/vz-scripts/101.conf file

 ...
 PRIVVMPAGES = "300000: 300000"
 HOSTNAME = "example.com"
 ...
 FIREWALL = "
     # Allow access to all ports and HTTP ports and HTTPS ports.
     [80,443]
     *
     # Allow access to PostgreSQL port only from release.prod machine.
     # Note that you can use domain names here.
     [5432]
     release.prod.example.com
     release.test.example.com
     # Allow access to DNS port (53 UDP).
     [udp: 53]
     *
     # Allow access from a subnet to SSH and SMTP.
     [22,25]
     192.168.10.0/24
     192.168.11.0/24
 " 

Yes, yes, such a multi-line option FIREWALL appears in the usual OpenVZ conf file. When you changed the conf-file, it would be nice to see which particular iptables commands will be used. In order not to touch the current configuration, run the following command:
')
Listing 2: Testing: what really iptables rules will be generated?

  # vzfirewall -t 

Now, with the help of vzfirewall, you need to apply the rules in all conf-files and write them "forever" in / etc / sysconfig / iptables. Run:

Code Listing 3: Applying the rules

  # vzfirewall -a 

(This command will also print DIFF - a list of changes in open ports since the last launch of vzfirewall.)

To open ports on a physical machine, the FIREWALL directive needs to be written to the /etc/sysconfig/vz-scripts/0.conf file, which stores the host system settings.

Preamble

Since I got acquainted with the wonderful virtualization system OpenVZ in 2005, we have been tormented with the iptables settings for it. Probably, sysadmins understand me well. With the addition of each new virtual machine, the number and complexity of rules for iptables increases dramatically, and eventually the file / etc / sysconfig / iptables (in RHEL systems) turns into a hulking monster, and the change of the physical machine with the replacement of IP addresses (including via vzmigrate ) - into a very heavy and dangerous task. The situation is complicated by the fact that there is only one FORWARD chain for a virtual machine (for a physical machine, the configuration is simpler: there are symmetric INPUT and OUTPUT).

At some point, I said to myself: “That's enough, enough!” And during the evening I wrote a small utility vzfirewall , which I present in this article. The main task solved by the program is to allow with one movement of the hand and without sticking to “hard-to-use” IP addresses, open only those ports for external connections that are required (and the rest to close) . At the same time, the configuration withstands the migration from one physical machine to another using the usual vzmigrate, as well as rebooting the machine without any changes.

The firewall configuration is stored directly in /etc/sysconfig/vz-scripts/*.conf

As you know, OpenVZ stores the virtual machine settings in the /etc/sysconfig/vz-scripts/*.conf files (for non-RHEL OSs, the path may be different). The beauty of OpenVZ lies in the fact that to transfer a virtual machine from one physical node to another, all you need to do is copy its conf-file to a new location, as well as package and transfer the machine's directory stored in / vz / private / * /. This is exactly what vzmigrate utility does: it simply copies files.

The vzfirewall utility keeps a list of open ports and hosts that are allowed to connect to a virtual machine directly in its conf-file: /etc/sysconfig/vz-scripts/*.conf. Because vzmigrate copies this file entirely when migrating from one physical machine to another, the firewall settings will automatically take effect at the new location.

Use DNS names of machines, not their IP addresses

Using IP addresses to configure a firewall is inconvenient. They are subject to change when moving from car to car, which means that the config files will also have to be changed.

The vzfirewall utility allows you to specify the domain names of machines from which access is allowed. These names, of course, are translated into IP addresses at the time of applying the rules on vzfirewall -a, but this is transparent to the user.

Once again: IP addresses are already in the / etc / sysconfig / iptables file, not the machine names. Thus, even if the DNS server is not available when the OS boots, the firewall continues to work. And, of course, vzfirewall can work with DNS records to which several IP addresses are attached at once.

Test run mode: what will be applied?

You can run vzfirewall in the “dry-run” mode to see exactly which rules will be applied compared to the previous state of the firewall.

Code Listing 4: Test run vzfirewall

  # vzfirewall -t 

In STDOUT, the program will print a new list of rules, and in STDERR, the result of the diff command for the new and old iptables command set. At the same time, the configuration of the firewall will remain unchanged.

Temporary disabling of the firewall

The vzfirewall utility ensures that the machine is always available, even if there is an error in the rules or another failure. Therefore, for example, port 22 (SSH) on a physical host machine always remains open, regardless of whether there is a rule for it or not.

Sometimes there is a case that you need to temporarily disable the firewall on the machine for diagnostics (open all ports). To do this, you can safely use the command:

Code Listing 5: Temporarily disabling the entire firewall

  # iptables - flush 

To re-enable the firewall, run:

Code Listing 6: Forcing the inclusion of a firewall

  # vzfirewall -f -a 

The -f key (from “force”) is very important here, since after iptables - flush the contents of the file / etc / sysconfig / iptables remains unchanged. This means that a simple launch of vzfirewall -a will not give a result: the utility will find that, allegedly, no firewall settings have been changed and there will be nothing to apply.

Manual settings for firewall and $ THIS macro

You can not only list the host names and port numbers in the FIREWALL property of the conf-file, but also set “bare” iptables directives that will be applied to a particular virtual machine. At the same time, the $ THIS macro is used to refer to the machine’s IP address. Example:

Code Listing 7: Manual iptables rules: file 101.conf

  ...
 PRIVVMPAGES = "300000: 300000"
 HOSTNAME = "example.com"
 ...
 FIREWALL = "
     [CUSTOM]
     # You may use "$ THIS" macro by IP machine
     # (and, if the machine has many IPs, it will be multiplicated).
     -A INPUT -i eth2 -d $ THIS -j ACCEPT
     # Or you may use commands with no references to $ THIS (only
     # such commands are allowed for 0.conf file).
     -A INPUT -i eth1 -j ACCEPT
 " 

What happens if the machine has multiple IP addresses? The command will be duplicated several times, according to the number of addresses, if it contains $ THIS. If the manual rules are specified for a physical machine (in the 0.conf file), then $ THIS is not available in them; This is a feature of the vzfirewall utility. (But, since the physical machine uses the INPUT and OUTPUT chains, and for the virtual machine, only FORWARD, problems, as a rule, do not arise.)

Summary

The dklab vzfirewall utility does exactly one thing well: it restricts incoming connections to the machine . She does not know how to limit outgoing connections, take traffic into account, limit the bandwidth of the channel, format the hard drive and fry eggs (the last point, however, is in development).

On the Internet, you can find a number of similar tools and articles, however, those that I have seen have the same drawbacks: the complexity and the need for an explicit link to the IP addresses:

• Shorewall . Universal, but at the same time more complex tool.
• Setting up an iptables firewall from the OpenVZ Wiki.

Link to the vzfirewall utility page: times . Link to the vzenter utility, which simplifies everyday use of vzctl enter: two .