mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 04:04:10 +01:00
289 lines
12 KiB
XML
289 lines
12 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Shorewall and OpenVZ</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
|
|
|
<copyright>
|
|
<year>2009</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Introduction</title>
|
|
|
|
<para><ulink url="http://wiki.openvz.org/">Open Virtuoso (OpenVZ)</ulink>
|
|
is an open source kernel-based virtualization solution from
|
|
<trademark><ulink
|
|
url="http://www.parallels.com">Parallels</ulink></trademark> (formerly
|
|
<trademark>SWSoft</trademark>). Virtual servers take the form of
|
|
<firstterm>containers</firstterm> (the OpenVZ documentation calls these
|
|
<firstterm>Virtual Environments</firstterm> or <firstterm>VEs</firstterm>)
|
|
which are created via <firstterm>templates</firstterm>. Templates are
|
|
available for a wide variety of distributions and architectures.</para>
|
|
|
|
<para>OpenVZ requires a patched kernel. Beginning with Lenny,
|
|
<trademark>Debian</trademark> supplies OpenVZ kernels through the standard
|
|
stable repository.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall on an OpenVZ Host</title>
|
|
|
|
<para>As with any Shorewall installation involving other software, we
|
|
suggest that you first install OpenVZ and get it working before attempting
|
|
to add Shorewall. Alternatively, execute <command>shorewall
|
|
clear</command> while <ulink
|
|
url="http://wiki.openvz.org/Installation_on_Debian">installing and
|
|
configuring OpenVZ</ulink>.</para>
|
|
|
|
<section>
|
|
<title>Networking</title>
|
|
|
|
<para>The default OpenVZ networking configuration uses Proxy ARP. You
|
|
assign containers IP addresses in the IP network from one of your
|
|
interfaces and you are expected to set the proxy_arp flag on that
|
|
interface
|
|
(<filename>/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/proxy_arp</filename>).</para>
|
|
|
|
<para>OpenVZ creates a point-to-point virtual interface in the host with
|
|
a rather odd configuration.</para>
|
|
|
|
<para>Example (Single VE with IP address 206.124.146.178):</para>
|
|
|
|
<programlisting>gateway:~# <command>ip addr ls dev venet0</command>
|
|
10: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
|
|
link/void
|
|
gateway:~# <command>ip route ls dev venet0</command>
|
|
206.124.146.178 scope link
|
|
gateway:~# </programlisting>
|
|
|
|
<para>The interface has no IP configuration yet it has a route to
|
|
206.124.146.178!</para>
|
|
|
|
<para>From within the VE with IP address 206.124.146.178, we have the
|
|
following:</para>
|
|
|
|
<programlisting>server:~ # <command>ip addr ls</command>
|
|
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
|
|
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
|
|
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
|
|
inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo
|
|
inet6 ::1/128 scope host
|
|
valid_lft forever preferred_lft forever
|
|
2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
|
|
link/void
|
|
inet 127.0.0.1/32 scope host venet0
|
|
inet 206.124.146.178/32 scope global venet0:0
|
|
server:~ # <command>ip route ls</command>
|
|
192.0.2.0/24 dev venet0 scope link
|
|
127.0.0.0/8 dev lo scope link
|
|
default via 192.0.2.1 dev venet0
|
|
server:~ # </programlisting>
|
|
|
|
<para>There are a couple of unique features of this
|
|
configuration:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>127.0.0.1/32 is configured on venet0 although the main routing
|
|
table routes loopback traffic through the <filename
|
|
class="devicefile">lo</filename> interface as normal.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>There is a route to 192.0.2.0/24 through venet0 even though
|
|
the interface has no IP address in that network. Note: 192.0.2.0/24
|
|
is reserved for use in documentation and for testing.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The default route is via 192.0.2.1 yet there is no interface
|
|
on the host with that IP address.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>All of this doesn't really affect the Shorewall configuration but
|
|
it is interesting none the less.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall Configuration</title>
|
|
|
|
<para>We recommend handlintg the strange OpenVZ configuration in
|
|
Shorewall as follows:</para>
|
|
|
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
|
|
|
<programlisting>###############################################################################
|
|
#ZONE TYPE OPTIONS IN OUT
|
|
# OPTIONS OPTIONS
|
|
vz ipv4</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
|
|
|
<programlisting>###############################################################################
|
|
#ZONE INTERFACE BROADCAST OPTIONS
|
|
vz venet0 - routeback,rp_filter=0</programlisting>
|
|
|
|
<para><filename>/etc/shorewall/proxyarp</filename> (assumes that
|
|
external interface is eth0):</para>
|
|
|
|
<programlisting>###############################################################################
|
|
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
|
206.124.146.178 venet0 eth0 Yes</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Multi-ISP</title>
|
|
|
|
<para>If you run Shorewall Multi-ISP support on the host, you should
|
|
arrange for traffic to your containers to use the main routing table. In
|
|
the configuration shown here, this entry in /etc/shorewall/route_rules
|
|
is appropriate:</para>
|
|
|
|
<programlisting>#SOURCE DEST PROVIDER PRIORITY
|
|
- 206.124.146.178 main 1000</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>RFC 1918 Addresses in a Container</title>
|
|
|
|
<para>You can assign an RFC 1918 address to a VE and use masquerade/SNAT
|
|
to provide Internet access to the container. This is just a normal
|
|
simple Shorewall configuration as shown in the <ulink
|
|
url="two-interface.htm">Two-interface Quick Start Guide</ulink>. In this
|
|
configuration the firewall's internal interface is <filename
|
|
class="devicefile">venet0</filename>.</para>
|
|
</section>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Shorewall in an OpenVZ Virtual Environment</title>
|
|
|
|
<para>If you have obtained an OpenVZ VE from a service provider, you may
|
|
find it difficult to configure any type of firewall within your VE. There
|
|
are two VE parameters that control iptables behavior within the
|
|
container:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--iptables <replaceable>name </replaceable></term>
|
|
|
|
<listitem>
|
|
<para>Restrict access to iptables modules inside a container (The
|
|
OpenVZ claims that by default all iptables modules that are loaded
|
|
in the host system are accessible inside a container; I haven't
|
|
tried that).</para>
|
|
|
|
<para>You can use the following values for
|
|
<replaceable>name</replaceable>: <option>iptable_filter</option>,
|
|
<option>iptable_mangle</option>, <option>ipt_limit</option>,
|
|
<option>ipt_multiport</option>, <option>ipt_tos</option>,
|
|
<option>ipt_TOS</option>, <option>ipt_REJECT</option>,
|
|
<option>ipt_TCPMSS</option>, <option>ipt_tcpmss</option>,
|
|
<option>ipt_ttl</option>, <option>ipt_LOG</option>,
|
|
<option>ipt_length</option>, <option>ip_conntrack</option>,
|
|
<option>ip_conntrack_ftp</option>,
|
|
<option>ip_conntrack_irc</option>, <option>ipt_conntrack</option>,
|
|
<option>ipt_state</option>, <option>ipt_helper</option>,
|
|
<option>iptable_nat</option>, <option>ip_nat_ftp</option>,
|
|
<option>ip_nat_irc</option>, <option>ipt_REDIRECT</option>,
|
|
<option>xt_mac</option>, <option>ipt_owner</option>.</para>
|
|
|
|
<para>If your provider is using this option, you may be in deep
|
|
trouble trying to use Shorewall in your container. Look at the
|
|
output of <command>shorewall show capabilities</command> and weep.
|
|
Then try to get your provider to remove this restriction on your
|
|
container.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--numiptent <replaceable>num</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>This parameter limits the number of iptables rules that are
|
|
allowed within the container. The default is 100 which is too small
|
|
for a Shorewall configuration. We recommend setting this to at least
|
|
200.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>if you see annoying error messages as shown below during
|
|
start/restart, remove the module-init-tools package.</para>
|
|
|
|
<programlisting>server:/etc/shorewall # shorewall restart
|
|
Compiling...
|
|
Compiling /etc/shorewall/zones...
|
|
Compiling /etc/shorewall/interfaces...
|
|
Determining Hosts in Zones...
|
|
Preprocessing Action Files...
|
|
Pre-processing /usr/share/shorewall/action.Drop...
|
|
Pre-processing /usr/share/shorewall/action.Reject...
|
|
Compiling /etc/shorewall/policy...
|
|
Adding Anti-smurf Rules
|
|
Adding rules for DHCP
|
|
Compiling TCP Flags filtering...
|
|
Compiling Kernel Route Filtering...
|
|
Compiling Martian Logging...
|
|
Compiling MAC Filtration -- Phase 1...
|
|
Compiling /etc/shorewall/rules...
|
|
Generating Transitive Closure of Used-action List...
|
|
Processing /usr/share/shorewall/action.Reject for chain Reject...
|
|
Processing /usr/share/shorewall/action.Drop for chain Drop...
|
|
Compiling MAC Filtration -- Phase 2...
|
|
Applying Policies...
|
|
Generating Rule Matrix...
|
|
Creating iptables-restore input...
|
|
Compiling iptables-restore input for chain mangle:...
|
|
Compiling /etc/shorewall/routestopped...
|
|
Shorewall configuration compiled to /var/lib/shorewall/.restart
|
|
Restarting Shorewall....
|
|
Initializing...
|
|
Processing /etc/shorewall/init ...
|
|
Processing /etc/shorewall/tcclear ...
|
|
Setting up Route Filtering...
|
|
Setting up Martian Logging...
|
|
Setting up Proxy ARP...
|
|
Setting up Traffic Control...
|
|
Preparing iptables-restore input...
|
|
Running /usr/sbin/iptables-restore...
|
|
<emphasis role="bold">FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such file or directory
|
|
FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such file or directory
|
|
FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such file or directory
|
|
FATAL: Could not load /lib/modules/2.6.26-2-openvz-amd64/modules.dep: No such file or directory</emphasis>
|
|
IPv4 Forwarding Enabled
|
|
Processing /etc/shorewall/start ...
|
|
Processing /etc/shorewall/started ...
|
|
done.
|
|
</programlisting>
|
|
</section>
|
|
</article>
|