OpenVZ: HOWto Communicate between VE's without creating a security weakness?
Debian 6 I'm a beginner...and your insight helps a lot!
I am looking at implementing the HN based firewall method described on the below page, where the HN creates the VE's firewalls:
If that isn't the firewall method I should be implementing for what I want to do, please point me to the firewall setup I do need.
I want my catalog sales in VE 101 and my company bookkeeping and accounting in VE 102 for security's sake. -At least, I am assuming it is more secure to do this.
From a Security viewpoint, what would be the best/proper way to communicate my sales happening in VE 101 to VE 102 where my business's bookkeeping is happening, thus having a fully integrated automatic environment?
And could you provide an example of the programming statement that would be used to send this information from VE 101 to VE 102, and for receiving that information in VE 102? (If it helps, I am planning to use shell scripts and python to stitch things together.)
I don't know if the online documentation for this has improved since I had to put my own firewall on my OpenVZ hardware server, but when I had to do it, I found nothing I read really helped me and asking on forums drew a blank as well :) So I'll be happy to help you as much as I can. I don't use Iptables directly and so I won't be able to help you with that, but I do have Shorewall running nicely. It filters all traffic and firewalls the hardware node as well as the VE's
Unfortunately you've caught me at a bad time, but give me a couple of days and I'll get back to you on this.
Thanks Cotun! That would be fantastic! And, you're right, I have posted on forums and mailing lists, and not a single reply. It seems to me that shorewall would be ideal, but I couldn't get my questions answered on that either.
When I first started, I bumped into a OpenVZ server guy who does do what I want to do, who quickly outlined my layout for me, while we were waiting for transportation. I was lucky. Below is what he told me to do. If it doesn't fit with your own layout and solution, tell me, and I will adapt to yours so that I can get something up and running and get on with the creating my websites....the part I thought would surely be the hard part! :; :
All external domains will, for now, point to my single home IP address.
The host node should have a "rough" firewall which is not really meant to protect the host node. Instead the host's rough firewall is to be set to direct ALL port 80 and 443 traffic to OpenVZ's 1st container, VE Container 101, which is to contain a "sophisticated" firewall. (I'm thinking he meant Shorewall)
This "sophisticated" firewall in VE container 101, which recognizes port numbers and has them mapped to their respective various VE container's own IP addresses, then routes IP number traffic directly to the proper VE Containers.
-AND this "sophisticated" firewall in VE 101 also directs all domain name based http traffic to VE container 102 which is setting within VE 101's firewall's DMZ.
Container VE 102 contains an Apache server which is running in VIRTUAL HOST MODE and which then handles all the external incoming and internal outgoing domain name based http(s) traffic by passing it to the respective and proper virtual containers I create for my business operations, etc., and receiving it back from the same.
Within each of these other VE containers which I will create as I need them, will also have their own firewall and Apache server operating in SINGLE SERVER MODE and listening on their own high port numbers, such as 8800, 9123, etc.
I assume there is a logical return path back through Containers 102 and 101, but he didn't mention anything about that.
Is your setup close enough to this layout it can be easily adapted? -Or should I adopt your's for now, for the sake of actually moving ahead??? :)
Take your time, I don't mind waiting for open windows in your life. I really appreciate your insights and help! Thanks!
Hi, sorry about the delay in responding.
I'm not surprised to hear that you haven't been able to get any help with this. Before OpenVZ, I had a Xen server and had the same problems trying to firewall it!! (with an ultimately different solution) :)
Anyway, your network configuration looks a bit more complicated than mine, but I'll explain what I did with Shorewall on the hardware node to make it work. From there, we can look at what needs to be done further. In all reality, it wasn't that difficult to set up a basic configuration, but without complete documentation on the subject, it took a bit of trial and error to make it work.
There are four critical Shorewall configuration files to make a firewall work on the hardware node in a basic sense. These are zones, policy, rules and interface. Assuming you have one physical ethernet port, you'll want to create two interfaces in 'interface', one for your physical device and another for the virtual interface OpenVZ uses. After this, you'll want to create three zones in the 'zones' file, one for the firewall itself (the hardware node basically), one for the OpenVZ virtual interface and one for outside the physical machine. You can then customise the 'policy' file by defining how the firewall should response to traffic between the three zones.
After this has been done, you can use the 'rules' file to enter more specific instructions as to how firewalling and routing should be handled. Typical examples of this are firewalling the virtual machines from communicating with any outside LAN machine, opening specific ports for individual virtual machines and adding any port forwarding required. From here on, it's just a matter of looking through the configuration files and making any additional subtle changes required based on what you want. But those four files should get you a basic, working configuration.
Thanks Coltun! I will dig deeper into shorewall and your layout and will get back to you with a few questions. I really appreciate your insight and help on this! It may take me a little while though...
The biggest thing (other than security) is I will have multiple domains coming into my home all on the same ip address and I will need to make sure each one ends up going to it's proper respective VE website.
No problem, glad to help :)
|All times are GMT -5. The time now is 08:26 AM.|