OpenVZ Firewall Setup using VZFIREWALL in Debian / Ubuntu

OpenVZ Firewall Setup using VZFIREWALL in Debian / Ubuntu

Need a firewall solution for your OpenVZ server and containers? The VZFIREWALL tool allows you to open and close ports for incoming connections. There are absolutely no dependencies to foreign IP addresses. The only down side is VZFIREWALL can not limit/block/restrict outbound connections. This tool is easy to use and install for your OpenVZ server in Debian / Ubuntu.

It is assumed that you have a functioning OpenVZ server running on Debian / Ubuntu minimal setup.

Installing VZFIREWALL for OpenVZ

Installation is easily accomplished by using the commands below as the user root.

apt-get update && apt-get upgrade
apt-get install wget
cd /usr/sbin
wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vzfirewall
chmod + x vzfirewall

The next step is optional, but highly recommended. The vps.premount action script is to ensure VZFIREWALL is running. This is especially useful when you vzmigrate containers.

cd /etc/vz/conf
(test -f vps.premount && echo "vps.premount exists, manual integration required") || ( \
wget http://github.com/DmitryKoterov/vzfirewall/raw/master/vps.premount; \
chmod +x vps.premount )

Configuring VZFIREWALL for OpenVZ

Configuration is easily accomplished by modifying the $VEID.conf file and adding multi-line FIREWALL directive(s) to the end of the file. Here is an example of what a $VEID.conf file might include.

#FIREWALL="
#    # Domain names and IP's listed in this section have all ports open.
#    all-access.example.com
#    192.168.5.1
#
#    # Allow access to web ports 80 (http) and 443 (https) from everyone.
#    [tcp:80,443]
#    *
#    
#    # Allow access to the PostgreSQL port only from dataserver.example.com.
#    [5432]
#    dataserver.example.com
#    
#    # Allow access to DNS port (53 UDP) from everyone.
#    [udp:53]
#    *
#    
#    # Allow access from a subnet to SSH and SMTP.
#    [22,25]
#    192.168.10.0/24
#
#    # Custom rules can be listed in the section below.
#    [CUSTOM]
#    -A INPUT -i eth1 -d $ THIS -j ACCEPT
#"

Note: The “#” character must be placed in front of the whole firewall directive on each new line, or else OpenVZ issues warnings about multi-line directives that are not supported.

One Response

  1. KK6JYT
    | Reply

    Reserved.

Leave a Reply