Professional Documents
Culture Documents
Contents
Sources of knowledge ................................................................................................................................................................................................................................................ 2
Linux at Proxmox host................................................................................................................................................................................................................................................ 2
IP configuration ...................................................................................................................................................................................................................................................... 2
Changes to Linux network configuration ............................................................................................................................................................................................................... 2
Shorewall at Proxmox host ........................................................................................................................................................................................................................................ 3
Try Shorewall installation....................................................................................................................................................................................................................................... 6
More things to do in order to prevent locking out yourself .............................................................................................................................................................................. 6
Proxmox ..................................................................................................................................................................................................................................................................... 8
New configuration with DNAT and 7 public IP-addresses ......................................................................................................................................................................................... 9
Address space ........................................................................................................................................................................................................................................................ 9
IP configuration ...................................................................................................................................................................................................................................................... 9
Fixing multiple ip-addresses at one NIC ............................................................................................................................................................................................................... 11
New configuration with ProxyARP and 7 public IP-addresses ................................................................................................................................................................................. 12
Address space ...................................................................................................................................................................................................................................................... 12
IP configuration .................................................................................................................................................................................................................................................... 12
Fixing multiple ip-addresses at one NIC ............................................................................................................................................................................................................... 15
Sammanstllning till forum ...................................................................................................................................................................................................................................... 16
/etc/vz/conf/111.conf ...................................................................................................................................................................................................................................... 16
/etc/vz/conf/105.conf ...................................................................................................................................................................................................................................... 16
/etc/network/interfaces .................................................................................................................................................................................................................................. 16
/etc/shorewall/zones ....................................................................................................................................................................................................................................... 16
/etc/shorewall/interfaces ................................................................................................................................................................................................................................ 16
/etc/shorewall/policy ....................................................................................................................................................................................................................................... 17
/etc/shorewall/rules ........................................................................................................................................................................................................................................ 17
/etc/shorewall/proxyarp .................................................................................................................................................................................................................................. 17
/proc/sys/net/ipv4/conf/all/proxy_arp ........................................................................................................................................................................................................... 17
Ping 167.99.29.154 .......................................................................................................................................................................................................................................... 18
Sources of knowledge
http://www.myatus.com/2010/03/20/guide-firewall-and-router-with-proxmox-extending-its-us/
http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/
http://www.shorewall.net/shorewall_setup_guide.htm
http://comments.gmane.org/gmane.comp.security.shorewall/27059
vmbr0
176.9.63.203
176.9.63.223
255.255.255.224
176.9.63.193
vs3:~# route -n
Kernel IP routing table
Destination
Gateway
176.9.63.192
0.0.0.0
0.0.0.0
176.9.63.193
Genmask
Flags Metric Ref
255.255.255.224 U
0
0
0.0.0.0
UG
0
0
Restart network
/etc/init.d/networking restart
Use Iface
0 vmbr0
0 vmbr0
EX1:~# route -n
Kernel IP routing table
Destination
Gateway
0.0.0.0
176.9.63.193
Genmask
0.0.0.0
Use Iface
0 eth0
IP_FORWARDING=Off
IP_FORWARDING=On
Above should not be done before configuration is completed otherwise you could be locked out from your server.
nano /etc/shorewall/zones
#ZONE
#
fw
net
dmz
TYPE
#ZONE
net
dmz
dmz
INTERFACE
eth0
venet0
vmbr0
OPTIONS
IN
OPTIONS
OUT
OPTIONS
BROADCAST
detect
detect
detect
OPTIONS
blacklist,nosmurfs
routeback
routeback,bridge
firewall
ipv4
ipv4
nano /etc/shorewall/interfaces
nano /etc/shorewall/policy
#SOURCE DEST
#
POLICY
LOG
LEVEL
dmz
net
fw
ACCEPT
ACCEPT
DROP
info
LIMIT:
BURST
CONNLIMIT:
MASK
nano /etc/shorewall/rules
#ACTION
SOURCE
# Permit access to SSH
SSH/ACCEPT
net
DEST
PROTO
DEST
fw
SOURCE
-
all
all
ORIGINAL
-
RATE
6/min:5
startup=1
Restart Shorwall
shorewall restart
Make sure that Shorewall is not started automatically at boot (startup=0 in /etc/default/shorewall). That way, if I misconfigure shorewall, I can recover with a
reboot.
When experimenting with Shorewall, I setup a root cron job that reboots the system at a certain time (usually 10 minutes into the future from when I want to try
the new firewall). That way, if I lock myself out, I can just wait a few minutes until the software reboot removes the firewall, instead of resorting to a hardware
reboot.
I familiarized myself with the Shorewall start, stop, clear, try, save, restore commands.
I plan to familiarize myself with my server's rescue procedures. I already learned about the hardware reboot the hard way.
Don't try to fix a firewall by installing another firewall. I think I locked myself out by trying to reinstall my previous home-made iptables configuration while
Shorewall was in an unsatisfactory "try" state. My existing ssh connection froze. I still don't know why this happened.
Setup a firewall early, while the server is not used for much else. That will cut down on disruptions.
Setup backup procedures sooner rather than later.
Proxmox
Virtual machines assign a private IP address in range 10.0.0.0/8.
Outgoing internet traffic
nano /etc/shorewall/masq
#INTERFACE
eth0
SOURCE
10.0.0.0/8
ADDRESS
PROTO
PORT(S) IPSEC
SOURCE
10.0.0.0/8
ADDRESS
91.121.0.1
10.0.1.101
10.0.0.0/8
PROTO
PORT(S) IPSEC
MARK
91.121.0.2
91.121.0.2
91.121.0.1
net
dmz:10.0.1.101
tcp
80
MARK
Private IP-address
176.9.63.203
Hostname
Services
vs3.riverman.com
https, vnc
176.9.209.152
10.0.1.101
www.riverman.com
176.9.209.153
10.0.1.102
sip.riverman.com
176.9.209.154
10.0.1.
sip2.riverman.com
176.9.209.155
10.0.1.110
webconf.riverman.com
176.9.209.156
176.9.209.157
176.9.209.158
176.9.209.159
Ports
TCP: 443, 5900
UDP:
TCP:80, 443, 25, 110, 143
UDP:
TCP: 443, 3830, 5060
UDP: 3830, 5004-5079, 10000-20000
TCP: 443, 3830, 5060
UDP: 3830, 5004-5079, 10000-20000
TCP: 80, 443, 5900,1935,9123,5080,8080
UDP:
IP configuration
interface
IP address
Broadcast
Netmask
Def. gateway
vmbr0
176.9.63.203
176.9.63.223
255.255.255.224
176.9.63.193
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
bridge_stp off
bridge_fd 0
nano /etc/shorewall/rules
#ACTION
SOURCE
SOURCE
ORIGINAL
# Permit access to SSH
SSH/ACCEPT
net
-
DEST
RATE
PROTO
DEST
fw
6/min:5
DEST
PROTO
# PING Rules
Ping/ACCEPT
all
DEST
fw:176.9.63.203
#ACTION
SOURCE
# Permit access to SSH
SSH/ACCEPT
net
SOURCE
-
tcp
ORIGINAL
RATE
6/min:5
443,5900:5999
all
all
SOURCE
10.0.0.0/8
ADDRESS
PROTO
PORT(S) IPSEC
MARK
#INTERFACE
eth0
+eth0
+eth0
+eth0
SOURCE
10.0.0.0/8
10.0.1.101
10.0.1.102
10.0.1.110
ADDRESS
176.9.63.203
176.9.209.152
176.9.209.153
176.9.209.155
PROTO
PORT(S) IPSEC
MARK
All traffic will appear from 176.9.63.203 except from bellow ip-addresses.
#INTERFACE
eth0
SOURCE
10.0.0.0/8
ADDRESS
176.9.63.203
10.0.1.101
10.0.0.0/8
91.121.0.2
91.121.0.1
PROTO
PORT(S) IPSEC
176.9.209.152,
from ip
MARK
10.0.1.102
176.9.209.153
and from ip
10.0.1.110
176.9.209.155
OLD
NEW
...(existing rules)...
DNAT
...(existing rules)...
DNAT
DNAT
DNAT
net
dmz:10.0.1.101
tcp
net
net
net
dmz:10.0.1.101
dmz:10.0.1.102
dmz:10.0.1.102
tcp
tcp
udp
22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000
176.9.209.152
176.9.209.153
176.9.209.153
A "service network restart" will bring up the new aliased device(s) together with the real ones. "ifconfig" shows eth0:X (X0number) and "ip addr ls" will show the additional
IP(s) as part of the real device.
Hostname
Services
176.9.63.203
vs3.riverman.com
https, vnc
176.9.209.153
sip.riverman.com
176.9.209.154
www.riverman.com
176.9.209.155
sip2.riverman.com
176.9.209.156
webconf.riverman.com
176.9.209.157
176.9.209.158
176.9.209.159
Ports
TCP: 443, 5900
UDP:
TCP: 443, 3830, 5060
UDP: 3830, 5004-5079, 10000-20000
TCP:80, 443, 25, 110, 143
UDP:
TCP: 443, 3830, 5060
UDP: 3830, 5004-5079, 10000-20000
TCP: 80, 443, 5900,1935,9123,5080,8080
UDP:
IP configuration
interface
IP address
Broadcast
Netmask
Def. gateway
vmbr0
176.9.63.203
176.9.63.223
255.255.255.224
176.9.63.193
bridge_fd 0
bridge_stp off
bridge_fd 0
nano /etc/shorewall/interfaces
#ZONE
net
dmz
dmz
INTERFACE
eth0
venet0
vmbr0
BROADCAST
detect
detect
detect
OPTIONS
blacklist,nosmurfs
routeback
routeback,bridge
#ZONE
net
dmz
dmz
INTERFACE
eth0
venet0
vmbr0
BROADCAST
detect
detect
detect
OPTIONS
proxyarp,blacklist,nosmurfs
routeback,bridge
routeback,bridge
nano /etc/shorewall/proxyarp
#ADDRESS
176.9.209.154
176.9.209.153
INTERFACE
vmbr0
vmbr0
EXTERNAL
eth0
eth0
HAVEROUTE
PERSISTENT
nano /etc/shorewall/rules
#ACTION
SOURCE
DEST
DEST
SOURCE
ORIGINAL
# Permit access to SSH
SSH/ACCEPT
net
fw
-
PROTO
RATE
-
all
all
#ACTION
SOURCE
# Permit access to SSH
SSH/ACCEPT
net
DEST
PROTO
fw:176.9.63.203
tcp
1935
DEST
SOURCE
-
tcp
tcp
tcp
udp
ORIGINAL
RATE
443,5900:5999
22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000
6/min:5
tcp
21
222
SOURCE
10.0.0.0/8
10.0.1.101
10.0.1.102
10.0.1.110
ADDRESS
176.9.63.203
176.9.209.152
176.9.209.153
176.9.209.155
PROTO
PORT(S) IPSEC
MARK
#INTERFACE
eth0
SOURCE
10.0.0.0/8
ADDRESS
176.9.63.203
PROTO
PORT(S) IPSEC
MARK
All traffic will appear from 176.9.63.203 except from bellow ip-addresses.
#INTERFACE
eth0
SOURCE
10.0.0.0/8
ADDRESS
176.9.63.203
PROTO
10.0.1.101
10.0.0.0/8
PORT(S) IPSEC
176.9.209.152,
from ip
MARK
10.0.1.102
176.9.209.153
and from ip
91.121.0.2
91.121.0.1
OLD
NEW
...(existing rules)...
DNAT
DNAT
DNAT
DNAT
...(existing rules)...
ACCEPT
ACCEPT
ACCEPT
net
net
net
net
net
net
net
dmz:10.0.1.101
dmz:176.9.209.152
dmz:176.9.209.153
dmz:176.9.209.153
dmz:176.9.209.154
dmz:176.9.209.153
dmz:176.9.209.153
tcp
tcp
tcp
udp
tcp
tcp
udp
22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000
22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000
10.0.1.110
176.9.209.155
A "service network restart" will bring up the new aliased device(s) together with the real ones. "ifconfig" shows eth0:X (X0number) and "ip addr ls" will show the additional
IP(s) as part of the real device.
/etc/vz/conf/105.conf
IP_ADDRESS="167.99.29.153"
HOSTNAME="sip8.domain.com"
NAMESERVER="213.133.98.98 213.133.99.99"
SEARCHDOMAIN="domain.com"
/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 176.89.15.203
netmask 255.255.255.224
broadcast 176.89.15.223
gateway 176.89.15.193
post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
/etc/shorewall/zones
#ZONE
#
fw
net
dmz
TYPE
OPTIONS
IN
OPTIONS
OUT
OPTIONS
firewall
ipv4
ipv4
/etc/shorewall/interfaces
#ZONE
net
dmz
dmz
INTERFACE
eth0
venet0
vmbr0
BROADCAST
detect
detect
detect
OPTIONS
proxyarp,blacklist,nosmurfs
routeback
routeback,bridge
/etc/shorewall/policy
#SOURCE DEST
#
POLICY
LOG
LEVEL
LIMIT:
BURST
CONNLIMIT:
MASK
dmz
net
fw
ACCEPT
ACCEPT
DROP
info
/etc/shorewall/rules
#ACTION
SOURCE
# Permit access to SSH
SSH/ACCEPT
net
DEST
PROTO
fw:176.89.15.203
DEST
SOURCE
-
ORIGINAL
INTERFACE
vmbr0
vmbr0
EXTERNAL
eth0
eth0
/proc/sys/net/ipv4/conf/all/proxy_arp
1
tcp
443,5900:5999
tcp
tcp
udp
22,25,80,81,110,143,443,993,995
443,3830,5060
3830,5004:5079,10000:20000
/etc/shorewall/proxyarp
#ADDRESS
167.99.29.154
167.99.29.153
RATE
HAVEROUTE
no
no
PERSISTENT
yes
yes
6/min:5
Ping 167.99.29.154
vm1:~# ping 167.99.29.154
PING 167.99.29.154 (167.99.29.154) 56(84) bytes of data.
From 176.89.15.203 icmp_seq=1 Destination Host Unreachable
From 176.89.15.203 icmp_seq=2 Destination Host Unreachable
()