Hi Michael, Thank you for your SMART answer ! We will make our bash script now to enable the firewall on our two proxmox host.
Have a good day ! ;-) *JG* 2013/6/11 Michael Rasmussen <[email protected]> > On Tue, 11 Jun 2013 17:24:30 +0200 > Julien Groselle <[email protected]> wrote: > > > Hello again, > > > > In our company, wet set up heavy firewall on every servers. > > So, after many tests on proxmox with an open firewall, it's time to put > > servers in production. > > Before this step, we have to configure our iptables rules : > > > > Here is a partial output of my 'netstat -lnpute' : > > tcp 0 0 127.0.0.1:85 0.0.0.0:* > LISTEN > > 0 35730752 433645/pvedaemon > > tcp 0 0 0.0.0.0:8006 0.0.0.0:* > LISTEN > > 33 35730876 433690/pveproxy > > udp 0 0 192.168.100.187:5404 0.0.0.0:* > > 0 13381511 4501/corosync > > udp 0 0 192.168.100.187:5405 0.0.0.0:* > > 0 13381512 4501/corosync > > udp 0 0 239.192.1.240:5405 0.0.0.0:* > > 0 13381508 4501/corosync > > > > I just have to open tcp/8006 and all the udp/540* ? Or are there any port > > that proxmox need to use ? > > I'm sure that the ssh have to be open in between the two nodes, but what > > else ? > > > I run the following script at boot on every host. Every host has 2 nics > in bond and has configured a number vlans and bridges. The hosts > has only a configured IP on vmbr0 (default vlan0), on a lan for shared > storage (vlan20), and on a lan for migration (vlan30). Everything is > connected through a managed switch. vlan20 is accessible by all > storage nodes and all hosts. vlan30 is only accessible by hosts. The > only access to hosts is via vlan0. > > cat /etc/iptables.sh > #!/bin/sh > > iptables -F INPUT > > # Block all input on vmbr0 except > # https(8006) > iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state --state NEW -j > ACCEPT > # vnc-console (5900-5910) > iptables -A INPUT -i vmbr0 -p tcp -m multiport --dports 5900:5910 -m > state --state NEW -j ACCEPT > # apcups (udp:3551) > iptables -A INPUT -i vmbr0 -p udp --dport 3551 -m state --state NEW -j > ACCEPT > > # Related traffic to the above > iptables -A INPUT -i vmbr0 -p tcp -m state --state ESTABLISHED,RELATED > -j ACCEPT > iptables -A INPUT -i vmbr0 -p udp -m state --state ESTABLISHED,RELATED > -j ACCEPT > > # Drop everything else > iptables -A INPUT -i vmbr0 -j DROP > > > -- > Hilsen/Regards > Michael Rasmussen > > Get my public GnuPG keys: > michael <at> rasmussen <dot> cc > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E > mir <at> datanom <dot> net > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C > mir <at> miras <dot> org > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 > -------------------------------------------------------------- > * Omnic looks at his 33.6k link and then looks at Joy > * Mercury cuddles his cable modem.. (=:] >
_______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
