OpenVZ IPTABLES Configuration

This article provides a sample firewall script for your OpenVZ VPS. The script includes a firewall for IPV6 enabled OpenVZ guest containers. We have tested this script on CentOS, Debian and OpenSuse OpenVZ guest containers, with CentOS 6 as the host OS.

Here is the firewall configuration for OpenVZ guests [tested on CentOS, Debian and OpenSuse].

The firewall script that we make available here will:

  • Open the ports 20, 21, 22, 53 and 80 for both IPv4 and IPv6.
  • Block all the compromised, zombie systems that are listed on the Spamhaus DROP Lists (Don't Router Or Peer Lists).

Save this syntax below as a file /etc/init.d/firewall, make it executable [chmod +x /etc/init.d/firewall] and run it as /etc/init.d/firewall start.

#!bin/sh
# chkconfig: 3 21 91
# description: EDIS GmbH - Firewall script for OpenVZ containers
# /etc/init.d/functions

###############################################
#CHECK AND CHANGE OPTION BELOW HERE!
###############################################

# Location of iptables (IPv4 only) and ip6tables (IPv6 only)
IPT=/sbin/iptables
IPT6=/sbin/ip6tables

# Ports that will be opened
OPENPORTS="20 21 22 53 80"

###############################################
# DO NOT CHANGE ANYTHING BELOW HERE!
###############################################
check4() {
  echo -n "Firewall: Show IPv4 rules"
  $IPT -n -L
  success ; echo
}

check6() {
  echo -n "Firewall: Show IPv6 rules"
  $IPT6 -n -L
  success ; echo
}

flushmem() {
  echo -n "Firewall: Flushing current rules from memory and allowing all traffic"
  $IPT -F
  $IPT6 -F
  $IPT -P OUTPUT ACCEPT
  $IPT6 -P OUTPUT ACCEPT
  success ; echo
}

configurefw() {
  echo -n "Firewall: Setting IPv4 DROP policies"
  $IPT -P INPUT DROP
  $IPT -A INPUT -i venet0 -j DROP
  $IPT -P FORWARD DROP
  $IPT -A INPUT -i venet0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPT -A INPUT -i lo -j ACCEPT
  $IPT -A OUTPUT -o lo -j ACCEPT
  success ; echo

  echo -n "Firewall: Setting IPv6 DROP policies"
  $IPT6 -P INPUT DROP
  $IPT6 -A INPUT -i venet0 -j DROP
  $IPT6 -P FORWARD DROP
  $IPT6 -A INPUT -i lo -j ACCEPT
  $IPT6 -A OUTPUT -o lo -j ACCEPT
  success ; echo

  echo -n "Firewall: Setting IPv4 & IPv6 ACCEPT policies"
  for port in $OPENPORTS ; do
    $IPT -A INPUT -i venet0 -p tcp -j ACCEPT --dport $port
    $IPT -A INPUT -i venet0 -p udp -j ACCEPT --dport $port
    $IPT6 -A INPUT -i venet0 -p tcp -j ACCEPT --dport $port
    $IPT6 -A INPUT -i venet0 -p udp -j ACCEPT --dport $port
  success ; echo
  done

  $IPT -A INPUT -i venet0 -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
  $IPT -A INPUT -i venet0 -p udp -m udp --dport 53 -s 0.0.0.0/0 -j ACCEPT

  $IPT6 -A INPUT -i venet0 -p tcp -m tcp ! --syn -j ACCEPT
  $IPT6 -A INPUT -i venet0 -p icmpv6 -m limit --limit 1/s --limit-burst 1 -j ACCEPT
  $IPT6 -A INPUT -i venet0 -p udp -m udp --dport 53 -s 0.0.0.0/0 -j ACCEPT

}

configuresh() {
  echo -n "Firewall addon: Initializing Spamhaus DROP lists include"
  FILE="/tmp/drop.lasso"
  URL="http://www.spamhaus.org/drop/drop.lasso"
  success ; echo

  echo -n "Firewall addon: Drop current Spamhaus DROP lists rules"
  $IPT -D INPUT -j spamhausdroplist
  $IPT -F spamhausdroplist
  success ; echo

  echo -n "Firewall addon: Read new Spamhaus DROP lists"
  [ -f $FILE ] && /bin/rm -f $FILE || :
  cd /tmp
  wget $URL
  blocks=$(cat $FILE | egrep -v '^' | awk '{ print $1}')
  success ; echo

  echo -n "Firewall addon: Adding Spamhause DROP lists rules"
  $IPT -N spamhausdroplist

  for ipblock in $blocks
  do
  $IPT -A spamhausdroplist -s $ipblock -j DROP
  echo $ipblock
  done

  $IPT -I INPUT -j spamhausdroplist
  success ; echo

  /bin/rm -f $FILE
  exit 0
}

case "$1" in
  start)
    echo "Starting firewall..."
    flushmem
    configurefw
    configuresh
    ;;
  stop)
    echo "Stopping firewall..."
    $IPT -F
    $IPT6 -F
    exit 0
    ;;
  status)
    echo "Status firewall IPv4..."
    check4
    echo "Status firewall IPv6..."
    check6
  *)
    echo "Usage: $0 {start|stop|status}"
    exit 1
    ;;
esac

Note 1: You may have to adjust the location of iptables and ip6tables depending on your distribution. Also open/close ports as per your requirements.

 

Add Feedback