On Tue, 11 Jun 2013 17:24:30 +0200 Julien Groselle <[email protected]> wrote:
> Hello again, > > In our company, wet set up heavy firewall on every servers. > So, after many tests on proxmox with an open firewall, it's time to put > servers in production. > Before this step, we have to configure our iptables rules : > > Here is a partial output of my 'netstat -lnpute' : > tcp 0 0 127.0.0.1:85 0.0.0.0:* LISTEN > 0 35730752 433645/pvedaemon > tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN > 33 35730876 433690/pveproxy > udp 0 0 192.168.100.187:5404 0.0.0.0:* > 0 13381511 4501/corosync > udp 0 0 192.168.100.187:5405 0.0.0.0:* > 0 13381512 4501/corosync > udp 0 0 239.192.1.240:5405 0.0.0.0:* > 0 13381508 4501/corosync > > I just have to open tcp/8006 and all the udp/540* ? Or are there any port > that proxmox need to use ? > I'm sure that the ssh have to be open in between the two nodes, but what > else ? > I run the following script at boot on every host. Every host has 2 nics in bond and has configured a number vlans and bridges. The hosts has only a configured IP on vmbr0 (default vlan0), on a lan for shared storage (vlan20), and on a lan for migration (vlan30). Everything is connected through a managed switch. vlan20 is accessible by all storage nodes and all hosts. vlan30 is only accessible by hosts. The only access to hosts is via vlan0. cat /etc/iptables.sh #!/bin/sh iptables -F INPUT # Block all input on vmbr0 except # https(8006) iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -m state --state NEW -j ACCEPT # vnc-console (5900-5910) iptables -A INPUT -i vmbr0 -p tcp -m multiport --dports 5900:5910 -m state --state NEW -j ACCEPT # apcups (udp:3551) iptables -A INPUT -i vmbr0 -p udp --dport 3551 -m state --state NEW -j ACCEPT # Related traffic to the above iptables -A INPUT -i vmbr0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i vmbr0 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # Drop everything else iptables -A INPUT -i vmbr0 -j DROP -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael <at> rasmussen <dot> cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir <at> datanom <dot> net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir <at> miras <dot> org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -------------------------------------------------------------- * Omnic looks at his 33.6k link and then looks at Joy * Mercury cuddles his cable modem.. (=:]
signature.asc
Description: PGP signature
_______________________________________________ pve-user mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
