Guide: Firewall and router with Proxmox
Proxmox
Once Shorewall has been configured, there will be three distinct zones on the Proxmox server:
- the Firewall / Proxmox host at fw
- the virtual network zone for virtual servers at dmz
- the internet at net
IP Assignment
To further separate the internet and virtual servers as distinct areas, each virtual server will be assigned an IP address in the 10.0.0.0/8 range (10.0.0.1–10.255.255.254).
The exception is that one can no longer use 10.254.254.254 as this has been assigned to the vmbr0 network interface earlier in this guide.
Outgoing internet traffic
Due to this separation and the use of A-class (10.0.0.0/8) IP addresses, outgoing traffic from a virtual server to the internet needs to be translated (so that Shorewall and other Internet routers know where to send responses to).
This will be defined in the /etc/shorewall/masq file.
In its simplest form, /etc/shorewall/masq can be set to the follwing:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARKeth0 10.0.0.0/8
# LAST LINE -- DO NOT REMOVE
This means that all traffic originating from 10.0.0.0/8 and going to the internet will pass through the eth0 network interface using the IP address assigned to eth0.
If you wish to make all traffic appear from a particular IP addresses, it can be specified as the third parameter. For example:
eth0 10.0.0.0/8 91.121.0.1
Or perhaps there’s a specific internal IP address that must appear externally as another IP address, you can do this as folowing:
+eth0 10.0.1.101 91.121.0.2eth0 10.0.0.0/8 91.121.0.1
Notice the plus (‘+’) sign in front of eth0. All traffic from 10.0.0.0/8 will appear to be coming from IP 91.121.0.1, except traffic coming from 10.0.1.101 will appear as coming from 91.121.0.2.
Incoming internet traffic
The separation between the internet and virtual servers not only applies to outgoing traffic, but also incoming traffic. There are two methods of directing incoming traffic,which is Proxy ARP or DNAT. This article will focus on DNAT; for more information on Proxy ARP and Shorewall, visit http://www.shorewall.net/manpages/shorewall-proxyarp.html.
For example, to forward HTTP traffic on any external IP address to a virtual server with the assigned IP of 10.0.1.101, edit the /etc/shorewall/rules file as following:
...(existing rules)...DNAT net dmz:10.0.1.101 tcp 80
The added benefit of DNAT is that a single IP address can be used for multiple virtual servers, provided that the traffic is on a different port. For example, HTTP traffic on external IP address 91.121.0.1 may be sent to a virtual server with the assigned IP of 10.0.1.101, whereas FTP traffic may be sent to a virtual server with assigned IP of 10.0.1.102 instead:
…(existing rules)…DNAT net dmz:10.0.1.101 tcp 80–91.121.0.1DNAT net dmz:10.0.1.102 tcp 21,23–91.121.0.1
It is even possible to route traffic to a different internal port. For example, to forward HTTP traffic on external IP address 91.121.0.1 to a virtual server with the assigned IP of 10.0.1.103 and listening on 8180:
…(existing rules)…DNAT net dmz:10.0.1.103:8180 tcp 80–91.121.0.1
Bridged Networking
The venet network interface is certainly the simplest method to use in Proxmox. However, venet is not available in KVM (fully virtualized servers) and there may be another reason why you might want to use the veth network interfaces with regular containers (such as the use of DHCP).
For this reason the vmbr0 network interface on the host was reconfigured to use the IP address of 10.254.254.254. It will act as the gateway entry for those virtual servers using veth network interfaces.
Although additional configuration needs to be done within a virtual server, you can use the same Shorewall rules for in- and outgoing traffic as described earlier (ie., DNAT or outgoing traffic).
Linux (Debian)
Inside a Debian Linux virtual server, you will specify /etc/network/interfaces as following:
auto eth0iface eth0 inet static address 10.0.1.101 netmask 255.0.0.0 gateway 10.254.254.254
where 10.0.1.101 is the IP address to be used by this particular virtual server.
If you are using both venet and veth network interfaces at the same time, as may be the case with certain IPv6 configurations, the file /etc/network/interfaces.tail should be used instead.
Microsoft Windows
For networking within Windows, proceed to your Networking control panel (or the Network and Sharing Center). Select the appropriate Local Area Connection and right-click to reveal the Properties menu option. UAC (User Account Control) may request your permission to proceed.
In the list of This connection uses the following items, select Internet Protocol (TCP/IP) (or Internet Protocol Version 4 (TCP/IPv4)). Click the Properties button.
At the General tab, change the following selections:Use the following IP address:
IP address: 10.0.1.101Subnet mask: 255.0.0.0Default gateway: 10.254.254.254
Use the following DNS server addresses:
Preferred DNS server: xxx.xxx.xxx.xxxAlternate DNS server: yyy.yyy.yyy.yyy
Where xxx… and yyy… are your preferred DNS servers.
Non-private IP Assignment
The setup as described above has separated your virtual servers from the internet by use of a zone (dmz) and A-class IP range (10.0.0.0/8). However, it is still possible to assign a non-private IP directly to one of your virtual servers if the venet network interface is used.
Internet traffic (from the net to the dmz zone) will still be blocked per the policy established in the above setup, and you will need to add additional rules to your Shorewall configuration. The major difference is that you must use ACCEPT instead of DNAT.
For example, let’s assume the IP address 91.121.0.1 was directly assigned to a virtual server. To permit internet Web traffic (port 80) to this container, add the following rule to your /etc/shorewall/rules file:
ACCEPT net dmz:91.121.0.1 tcp 80
Please note that for veth network interfaces (bridged) Proxy ARP is required.