[Users] Public/Private IP Configuration

Galia Lisovskaya inbox at shaggy-cat.ru
Fri Jun 25 14:25:22 EDT 2010


It's production use configuration: new server in new our customer (no
more iptables rules), now has only 2 VE

[root at ovz08u ~]# iptables-save
# Generated by iptables-save v1.3.5 on Fri Jun 25 22:15:25 2010
*mangle
:PREROUTING ACCEPT [30096860:20560700968]
:INPUT ACCEPT [3196055:2212663247]
:FORWARD ACCEPT [26892861:18347260347]
:OUTPUT ACCEPT [2875215:282124812]
:POSTROUTING ACCEPT [29767984:18629377161]
COMMIT
# Completed on Fri Jun 25 22:15:25 2010
# Generated by iptables-save v1.3.5 on Fri Jun 25 22:15:25 2010
*nat
:PREROUTING ACCEPT [549270:33600585]
:POSTROUTING ACCEPT [111595:6401978]
:OUTPUT ACCEPT [79429:4476860]
-A PREROUTING -d ZZ.ZZ.ZZ.ZZ -i eth0 -p udp -m udp --dport 3333 -j
DNAT --to-destination 10.X.X.1:3333
-A PREROUTING -d ZZ.ZZ.ZZ.ZZ -i eth0 -p udp -m udp --dport 3333 -j
DNAT --to-destination 10.X.X.1:3333
-A POSTROUTING -o eth0 -j SNAT --to-source ZZ.ZZ.ZZ.ZZ
COMMIT
# Completed on Fri Jun 25 22:15:25 2010
# Generated by iptables-save v1.3.5 on Fri Jun 25 22:15:25 2010
*filter
:INPUT DROP [6516:703827]
:FORWARD DROP [36:2142]
:OUTPUT ACCEPT [2304969:219953742]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.X.X.40 -i vmbr0 -j ACCEPT
-A INPUT -s 10.X.X.40 -i eth0 -j ACCEPT
-A INPUT -s YY.YY.YY.YY -i vmbr0 -j ACCEPT
-A INPUT -s YY.YY.YY.YY -i eth0 -j ACCEPT
-A INPUT -s 10.X.X.20 -i vmbr0 -j ACCEPT
-A INPUT -s 10.X.X.20 -i eth0 -j ACCEPT
-A INPUT -s 10.X.X.0/255.255.255.0 -i vmbr0 -j ACCEPT
-A INPUT -s 10.X.X.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -d ZZ.ZZ.ZZ.ZZ -p udp -m udp --dport 113 -j ACCEPT
-A INPUT -d ZZ.ZZ.ZZ.ZZ -p tcp -m tcp --dport 113 -j ACCEPT
-A FORWARD -s 10.X.X.2 -o eth0 -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -s 10.X.X.2 -j ACCEPT
-A FORWARD -d 10.X.X.2 -j ACCEPT
-A FORWARD -s 10.X.X.1 -o eth0 -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -s 10.X.X.1 -j ACCEPT
-A FORWARD -d 10.X.X.1 -j ACCEPT
-A FORWARD -s 10.X.X.1 -o eth0 -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -s 10.X.X.1 -j ACCEPT
-A FORWARD -d 10.X.X.1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.X.X.40 -i vmbr0 -j ACCEPT
-A FORWARD -s 10.X.X.40 -i eth0 -j ACCEPT
-A FORWARD -s YY.YY.YY.YY -i vmbr0 -j ACCEPT
-A FORWARD -s YY.YY.YY.YY -i eth0 -j ACCEPT
-A FORWARD -s 10.X.X.20 -i vmbr0 -j ACCEPT
-A FORWARD -s 10.X.X.20 -i eth0 -j ACCEPT
-A FORWARD -s 10.X.X.0/255.255.255.0 -i vmbr0 -j ACCEPT
-A FORWARD -s 10.X.X.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -s 10.0.Z.2 -i vmbr0 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 10.X.X.0/255.255.255.0 -i vmbr0 -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -s 10.X.X.20 -i vmbr0 -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -s 10.X.X.40 -i vmbr0 -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -s 10.X.X.0/255.255.255.0 -i vmbr0 -p ! icmp -m state
--state INVALID -j DROP
-A FORWARD -d 10.X.X.0/255.255.255.0 -o vmbr0 -p ! icmp -m state
--state INVALID -j DROP
-A FORWARD -s 10.X.X.0/255.255.255.0 -i vmbr0 -o eth0 -j ACCEPT
-A FORWARD -d 10.X.X.0/255.255.255.0 -i vmbr0 -p icmp -j ACCEPT
-A FORWARD -s 10.X.X.0/255.255.255.0 -o vmbr0 -p icmp -j ACCEPT
-A FORWARD -s 10.X.X.20 -i vmbr0 -p ! icmp -m state --state INVALID -j DROP
-A FORWARD -d 10.X.X.20 -o vmbr0 -p ! icmp -m state --state INVALID -j DROP
-A FORWARD -s 10.X.X.20 -i vmbr0 -o eth0 -j ACCEPT
-A FORWARD -d 10.X.X.20 -i vmbr0 -p icmp -j ACCEPT
-A FORWARD -s 10.X.X.20 -o vmbr0 -p icmp -j ACCEPT
-A FORWARD -s 10.X.X.40 -i vmbr0 -p ! icmp -m state --state INVALID -j DROP
-A FORWARD -d 10.X.X.40 -o vmbr0 -p ! icmp -m state --state INVALID -j DROP
-A FORWARD -s 10.X.X.40 -i vmbr0 -o eth0 -j ACCEPT
-A FORWARD -d 10.X.X.40 -i vmbr0 -p icmp -j ACCEPT
-A FORWARD -s 10.X.X.40 -o vmbr0 -p icmp -j ACCEPT
-A FORWARD -d 10.X.X.1 -p udp -m udp --dport 3333 -j ACCEPT
-A FORWARD -s 10.10.0.0/255.255.254.0 -d 10.X.X.1 -j ACCEPT
-A FORWARD -s 10.X.X.1 -d 10.10.0.0/255.255.254.0 -j ACCEPT
-A FORWARD -s 10.X.X.1 -o eth0 -j ACCEPT
-A FORWARD -s 10.X.X.1 -j DROP
-A FORWARD -d 10.X.X.1 -j DROP
-A FORWARD -d 10.X.X.1 -p udp -m udp --dport 3333 -j ACCEPT
-A FORWARD -s 10.X.X.0/255.255.255.0 -d 10.X.X.1 -j ACCEPT
-A FORWARD -s 10.X.X.1 -d 10.X.X.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 10.X.X.1 -o eth0 -j ACCEPT
-A FORWARD -s 10.X.X.1 -j DROP
-A FORWARD -d 10.X.X.1 -j DROP
-A FORWARD -s 10.X.X.2 -o eth0 -j ACCEPT
-A FORWARD -s 10.X.X.2 -j DROP
-A FORWARD -d 10.X.X.2 -j DROP
COMMIT
# Completed on Fri Jun 25 22:15:25 2010
[root at ovz08u ~]#

This VE has IP 10.X.X.2 and 10.X.X.1. Hardware node has one public IP.

It's office server for SOHO buissness our client.

 For generate IPtables rules, we use System V start script, nearly this:

http://wiki.openvz.org/Setting_up_an_iptables_firewall

And puppet (puppet generate new values for firewall script)


-- 
Galina Lisovskaya


More information about the Users mailing list