OpenVZ Iptables:允许流量通过venet0传递到所有VPS
时间:2020-01-09 10:34:16 来源:igfitidea点击:
如何配置IPTABLES将所有流量传递到硬件节点下的VPS(容器)?
推荐使用venet0进行网络连接,以提高OpenVZ虚拟化的安全性和性能。
保护硬件节点对于防止未经授权的访问很重要。
venet0用于在VPS和LAN/Internet之间进行通信。
Router
\
\
Hardware Node - eth0
//
//
venet0
+----------+------------+
| | |
vps1 vps2 vps3
允许所有流量到VPS
遵循iptables规则允许在硬件节点和所有vps /容器之间传递所有流量。
在ssh,http,webmin等硬件节点上运行的服务只能在我们的局域网内访问,而不能通过Internet访问。
#!/bin/bash
# Explains how to setup iptables on the hardware node to allow selective access,
# but allow all traffic into the containers (VPS) so they may define their own iptables rules and
# therefore manage their own firewall.
# Author: Hyman Gite < http://www.theitroad.local/ >
# See tutorial : http://www.theitroad.local/faq/series/rhel-centos-openvz-virtualization/
# This script is under GPL v2.0 or above.
# -------------------------------------------------------------------------------------------------
IPT="/sbin/iptables"
MOP="/sbin/modprobe"
SYST="/sbin/sysctl"
### ******************************************************************************* ###
### Part 1 - Protect Hardware Node ###
### ******************************************************************************* ###
### HW Node Main IP ranges ###
SRVIP="123.xx.xx.yy"
ADMIN_RANGES="192.168.1.0/24"
SPOOFIP="127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32 168.254.0.0/16 224.0.0.0/4 240.0.0.0/5 248.0.0.0/5 192.0.2.0/24"
### Path to other scripts ###
[ -f /root/fw/blocked.ip.txt ] && BADIPS=$(egrep -v -E "^#|^$" /root/fw/blocked.ip.txt)
### Interfaces ###
PUB_IF="eth0" # public interface
LO_IF="lo" # loopback
VE_IF="venet0"
### start firewall ###
echo "Starting Firewall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
# Enable ip_conntrack
$MOP ip_conntrack
# DROP and close everything all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Unlimited lo access
$IPT -A INPUT -i ${LO_IF} -j ACCEPT
$IPT -A OUTPUT -o ${LO_IF} -j ACCEPT
# Allow Full Outgoing connection but no incomming stuff by default
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop bad stuff
# get all bad spam / scrap ips
if [ -f /root/fw/blocked.ip.txt ];
then
$IPT -N spamlist
for ipblock in $BADIPS
do
$IPT -A spamlist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPAM List Block"
$IPT -A spamlist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spamlist
$IPT -I OUTPUT -j spamlist
$IPT -I FORWARD -j spamlist
done
$IPT -N spooflist
for ipblock in $SPOOFIP
do
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j LOG --log-prefix "SPOOF List Block"
$IPT -A spooflist -i ${PUB_IF} -s $ipblock -j DROP
done
$IPT -I INPUT -j spooflist
$IPT -I OUTPUT -j spooflist
$IPT -I FORWARD -j spooflist
# Stop sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Stop Fragments
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
# Stop NULL packets
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "NULL Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Stop XMAS
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "XMAS Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Stop FIN packet scans
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Fin Packets Scan"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Get rid of broadcast
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type broadcast -j DROP
$IPT -A INPUT -i ${PUB_IF} -m pkttype --pkt-type multicast -j DROP
$IPT -A INPUT -i ${PUB_IF} -m state --state INVALID -j DROP
# allow SSH, HTTP, HTTPD and webmin ONlY from $ADMIN_RANGES
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 22 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 10000 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -s ${ADMIN_RANGES} -d ${SRVIP} -p tcp --destination-port 443 -j ACCEPT
# Allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p icmp -m icmp --icmp-type 3 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p icmp -m icmp --icmp-type 5 -m limit --limit 30/sec -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p icmp -m icmp --icmp-type 11 -m limit --limit 30/sec -j ACCEPT
### ******************************************************************************* ###
### Part 1 - Protect Hardware Node END ###
### ******************************************************************************* ###
### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config ###
### ******************************************************************************* ###
# Allow all ports for all VPS i.e. full access
# user can set their own firewall inside vps
$IPT -P FORWARD ACCEPT
$IPT -F FORWARD
### ******************************************************************************* ###
### Part 2 - ALL VPS Specifc Config END ###
### ******************************************************************************* ###
# drop and log everything else
$IPT -A INPUT -m limit --limit 5/m --limit-burst 7 -j LOG
$IPT -A INPUT -j REJECT --reject-with icmp-port-unreachable
exit 0
在/root/fw/firewall上安装此脚本:
# chmod +x /root/fw/firewall
从/etc/rc.local调用
# echo '/root/fw/firewall' >> /etc/rc.local
