Configuring Firewalls for VMs 3.8

:!: **Development version of OpenNebula 3.8**. The material on this page needs to be reviewed for completeness and accuracy.
This driver installs iptables rules in the physical host executing the VM. This driver can be used to filter (and enforce) TCP and UDP ports, and to define a policy for ICMP connections, without any additional modification to the guest VMs. {{INLINETOC}} ====== Requirements ====== * The package **''iptables''** must be installed in the hosts. ====== Considerations & Limitations ====== In OpenNebula 3.0, this functionality was provided through a hook, and it wasn't effective after a migration. Since OpenNebula 3.2 this limitation does not apply. ====== Configuration ====== ===== Hosts Configuration ===== * The **''sudoers''** file must be configured so **''oneadmin''** can execute **''iptables''** in the hosts. ===== OpenNebula Configuration ===== This Virtual Machine Network Manager driver can be used individually, or combined with the isolation features of either **[[.:hm-vlan|802.1Q]]** or **[[.:ebtables|ebtables]]**. However it's **not** currently supported with the **[[.:openvswitch|ovswitch]]** drivers, they provide their own filtering mechanism. To enable firewalling without any network isolation features, use **fw** as the Virtual Network Manager driver parameter when the hosts are created with the [[.:host_guide|onehost command]]: $ onehost create host01 im_kvm vmm_kvm fw The firewall driver is automatically enabled when any of the previously mentioned drivers are used, additional configuration is not required. ===== Driver Actions ===== ^ Action ^ Description ^ | **Pre** | - | | **Post** | Creates appropriate IPTABLES rules in the Host where the VM has been placed. | | **Clean** | Removes the IPTABLES rules created during the ''Post'' action. | ====== Usage ====== The firewall directives must be placed in the [[template#network_section|network section]] of the Virtual Machine template. These are the possible attributes: * **WHITE_PORTS_TCP = ''iptables_range''**: Permits access to the VM only through the specified ports in the TCP protocol. Supersedes BLACK_PORTS_TCP if defined. * **BLACK_PORTS_TCP = ''iptables_range''**: Doesn't permit access to the VM through the specified ports in the TCP protocol. Superseded by WHITE_PORTS_TCP if defined. * **WHITE_PORTS_UDP = ''iptables_range''**: Permits access to the VM only through the specified ports in the UDP protocol. Supersedes BLACK_PORTS_UDP if defined. * **BLACK_PORTS_UDP = ''iptables_range''**: Doesn't permit access to the VM through the specified ports in the UDP protocol. Superseded by WHITE_PORTS_UDP if defined. * **ICMP = drop**: Blocks ICMP connections to the VM. By default it's set to accept. ''iptables_range'': a list of ports separated by commas or ranges separated by semicolons, e.g.: ''22,80,5900:6000'' Example: NIC = [ NETWORK_ID = 3, WHITE_PORTS_TCP = "80, 22", ICMP = drop ] Note that WHITE_PORTS_TCP and BLACK_PORTS_TCP are mutually exclusive. In the event where they're both defined the more restrictive will prevail i.e. WHITE_PORTS_TCP. The same happens with WHITE_PORTS_UDP and BLACK_PORTS_UDP. ====== Tuning & Extending ====== ===== IPTABLES rules ===== This section lists the IPTABLES rules that are created for each possible configuration: **TCP_WHITE_PORTS and UDP_WHITE_PORTS** # Create a new chain for each network interface -A FORWARD -m physdev --physdev-out -j one-- # Accept already established connections -A one-- -p -m state --state ESTABLISHED -j ACCEPT # Accept the specified -A one-- -p -m multiport --dports -j ACCEPT # Drop everything else -A one-- -p -j DROP **TCP_BLACK_PORTS and UDP_BLACK_PORTS** # Create a new chain for each network interface -A FORWARD -m physdev --physdev-out -j one-- # Drop traffic directed to the iprange ports -A one-- -p -m multiport --dports -j DROP **ICMP DROP** # Create a new chain for each network interface -A FORWARD -m physdev --physdev-out -j one-- # Accept already established ICMP connections -A one-- -p icmp -m state --state ESTABLISHED -j ACCEPT # Drop new ICMP connections -A one-- -p icmp -j DROP These rules will be removed once the VM is cancelled, shutdown or deleted.