vzfirewall is an extremely simple tool to configure opened ports and hosts for incoming connections in OpenVZ environment
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


vzfirewall: an extremely simple tool to configure opened ports
            and hosts for incoming connections in OpenVZ environment
(C) dkLab, http://en.dklab.ru/lib/dklab_vzfirewall/

Vzfirewall tool allows you to open/close ports for incoming connections
with no dependencies to foreign IP addresses. E.g. you may allow a hostname
release.prod.example.com to connect to port 5432 of VE 1234 and leave all
other ports closed by modifying 1234.conf file adding multiline FIREWALL
directive into it - see SYNOPSIS below.

You must then run vzfirewall -a on your hardware node to apply changes
made in *.conf.

Note that it is recommended to use hostnames instead of IP addresses here,
so the configuration is persistent for VE movements to different IP-address:
you just need to run vzfirewall -a again after movement. It is also
reboot-safe, because applied to /etc/sysconfig/iptables (at RHEL systems).


cd /usr/sbin
wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vzfirewall
chmod +x vzfirewall

# Optional:  vps.premount action script to ensure vzfirewall is run
# (handy when you vzmigrate containers)

cd /etc/vz/conf
(test -f vps.premount && echo "vps.premount exists, manual integration required") || ( \
    wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vps.premount; \
    chmod +x vps.premount )


1. Modify the file e.g. /etc/vz/conf/4.conf (note that the whole FIREWALL
   directive is prefixed by "#" character, because else OpenVZ issues
   warnings about multi-line directives which are not supported):
   #   host.allowed.to.every.port
   #   yet.another.host
   #   * # means "any host"
   #   [25]
   #   host.allowed.to.access.smtp
   #   * # means "any"
   #   [80,443]
   #   hosts.allowed.to.access.two.ports
   #   [udp:53]
   #    *
   #   [CUSTOM]
   #   # You may use "$THIS" macro which is replaced by this machine IP
   #   # (and, if the machine has many IPs, it will be multiplicated).
   #   -A INPUT -i eth2 -d $THIS -j ACCEPT
   #   # Or you may use commands with no references to $THIS (only
   #   # such commands are allowed for 0.conf file).
   #   -A INPUT -i eth1 -j ACCEPT
   We use FIREWALL directive in plain VE configs, not in separate files,
   to allow to vzmigrate it easily from one node to another. Note the "#"
   characters again.

2. Run:
   # vzfirewall -a     - to apply rules
   # vzfirewall -t     - to test rules with no application
   # vzfirewall -h -v  - vzfirewall documentation