Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 75 lines (62 sloc) 2.566 kb
e4a0e655 »
2014-06-05 Update README.txt
1 vzfirewall: an extremely simple tool to configure opened ports
fe93c7d8 » Dmitry
2014-01-29 Tabs to spaces.
2 and hosts for incoming connections in OpenVZ environment
ba981165 » dmitrymin
2010-11-12 Comments.
3 (C) dkLab, http://en.dklab.ru/lib/dklab_vzfirewall/
cb59ee32 » dmitrymin
2010-03-16 Initial commit
4
5
fe93c7d8 » Dmitry
2014-01-29 Tabs to spaces.
6 Vzfirewall tool allows you to open/close ports for incoming connections
7 with no dependencies to foreign IP addresses. E.g. you may allow a hostname
8 release.prod.example.com to connect to port 5432 of VE 1234 and leave all
9 other ports closed by modifying 1234.conf file adding multiline FIREWALL
ba981165 » dmitrymin
2010-11-12 Comments.
10 directive into it - see SYNOPSIS below.
11
fe93c7d8 » Dmitry
2014-01-29 Tabs to spaces.
12 You must then run vzfirewall -a on your hardware node to apply changes
ba981165 » dmitrymin
2010-11-12 Comments.
13 made in *.conf.
14
fe93c7d8 » Dmitry
2014-01-29 Tabs to spaces.
15 Note that it is recommended to use hostnames instead of IP addresses here,
16 so the configuration is persistent for VE movements to different IP-address:
17 you just need to run vzfirewall -a again after movement. It is also
ba981165 » dmitrymin
2010-11-12 Comments.
18 reboot-safe, because applied to /etc/sysconfig/iptables (at RHEL systems).
19
20
21 INSTALLATION
22 ------------
23
24 cd /usr/sbin
25 wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vzfirewall
26 chmod +x vzfirewall
27
f350b283 » jnorell
2014-06-03 Add vps.premount action script to call vzfirewall automatically.
28 # Optional: vps.premount action script to ensure vzfirewall is run
29 # (handy when you vzmigrate containers)
30
31 cd /etc/vz/conf
32 (test -f vps.premount && echo "vps.premount exists, manual integration required") || ( \
33 wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vps.premount; \
34 chmod +x vps.premount )
35
ba981165 » dmitrymin
2010-11-12 Comments.
36
37 SYNOPSIS
cb59ee32 » dmitrymin
2010-03-16 Initial commit
38 --------
39
77e5a7f0 » Dmitry
2013-12-18 Now the whole "FIREWALL=..." directive (with its content) could be pr…
40 1. Modify the file e.g. /etc/vz/conf/4.conf (note that the whole FIREWALL
41 directive is prefixed by "#" character, because else OpenVZ issues
42 warnings about multi-line directives which are not supported):
0e96085d » dmitrymin
2010-03-16 comment
43 ...
77e5a7f0 » Dmitry
2013-12-18 Now the whole "FIREWALL=..." directive (with its content) could be pr…
44 #FIREWALL="
45 # host.allowed.to.every.port
46 # yet.another.host
47 # * # means "any host"
48 #
49 # [25]
50 # host.allowed.to.access.smtp
51 # * # means "any"
52 #
53 # [80,443]
54 # hosts.allowed.to.access.two.ports
55 #
56 # [udp:53]
57 # *
58 #
59 # [CUSTOM]
60 # # You may use "$THIS" macro which is replaced by this machine IP
61 # # (and, if the machine has many IPs, it will be multiplicated).
62 # -A INPUT -i eth2 -d $THIS -j ACCEPT
63 # # Or you may use commands with no references to $THIS (only
64 # # such commands are allowed for 0.conf file).
65 # -A INPUT -i eth1 -j ACCEPT
66 #"
0e96085d » dmitrymin
2010-03-16 comment
67 ...
77e5a7f0 » Dmitry
2013-12-18 Now the whole "FIREWALL=..." directive (with its content) could be pr…
68 We use FIREWALL directive in plain VE configs, not in separate files,
69 to allow to vzmigrate it easily from one node to another. Note the "#"
70 characters again.
0e96085d » dmitrymin
2010-03-16 comment
71
72 2. Run:
2754afb7 » jnorell
2014-01-20 example command to show documentation
73 # vzfirewall -a - to apply rules
74 # vzfirewall -t - to test rules with no application
75 # vzfirewall -h -v - vzfirewall documentation
Something went wrong with that request. Please try again.