VMmanager Firewall

From ISPWiki
(Redirected from VManager Firewall)
Jump to: navigation, search
Hierarchy: VMmanager KVM ->NETWORKS
VMmanager Cloud ->NETWORKS

Netfilter is a framework provided by Linux that allows various networking-related operations. There are a number щf frameworks for firewall management, such as iptables (manages IPv4 packets), ip6tables (manages IPv6 packets), ebtables (manages ethernet bridges).

How it works

VMmanager uses standard ebtables rules pre-installed by libvirt. Restarting libvirtd will restart all the frameworks for netfilter.

When adding a cluster node, VMmanager creates there the /etc/vmmgr/iptables.rules.d and /etc/vmmgr/ip6tables.rules.d directories and adds thee files with iptables and ip6tables rules into those directories. The files are overwritten when the panel restarts. The rules are uploaded in a certain order which is defined by the first two symbols of the name (00-99). E.g., 123 means that the rule will be handled 23th in succession; _21 means that the system will handle it after 99.

Files have the following names:

NN_name.rule
  • NN - rule weight (rules with less weight are processed first)
  • name - any name

The file contains iptables rules that will be executed one by one.

Standard rules

cat /etc/vmmgr/iptables.rules.d/00_prepare.rule
# ISPsystem firewall rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-F INPUT
-F FORWARD
cat /etc/vmmgr/iptables.rules.d/20_vmmgr.rule
# ISPsystem firewall rules
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dport 111,662,892,1515,2049,32803 -j ACCEPT
-A INPUT -p udp -m multiport --dport 662,892,2049,32769 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900:6900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 15900:16900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152:49261 -j ACCEPT
cat /etc/vmmgr/ip6tables.rules.d/00_prepare.rule
# ISPsystem firewall rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-F INPUT
-F FORWARD

Rules for VMmanager Cloud:

cat /etc/vmmgr/iptables.rules.d/30_vmmgr_cloud.rule
# ISPsystem firewall rules
-A INPUT -p udp -m udp --dport 5404:5405 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21064 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 41966:41969 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50006:50009 -j ACCEPT
-A INPUT -p udp -m udp --dport 50007 -j ACCEPT

Adding custom rules

To add a rule, navigate to "Cluster settings" --> "Firewall"Add to add custom rules in VMmanager. You can also add them by creating files manually.

Do not change standard rules, as they can be overwritten after VMmanager updates. The files that the administrator adds manually can be also deleted after reboot.