Created
May 15, 2012 10:45
-
-
Save mammadori/2700758 to your computer and use it in GitHub Desktop.
lxc iptables
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh -e | |
| # | |
| # rc.local | |
| # | |
| # This script is executed at the end of each multiuser runlevel. | |
| # Make sure that the script will "exit 0" on success or any other | |
| # value on error. | |
| # | |
| # In order to enable or disable this script just change the execution | |
| # bits. | |
| # | |
| # By default this script does nothing. | |
| # Where our dataproxy is | |
| DATAPROXY_IP=<%= datastore_host_ip %> | |
| # What the IP of the host on the LXCs internal network is - this will serve all | |
| # the http/https/ftpproxy and DNS, and acts as route for the networking from | |
| # inside the LXCs | |
| HOST_IP_ON_BRIDGE=10.0.0.1 | |
| brctl addbr br0 | |
| brctl setfd br0 0 | |
| ifconfig br0 $HOST_IP_ON_BRIDGE up | |
| # Clear all existing firewall rules | |
| iptables -t nat -F | |
| iptables -F | |
| # NAT general HTTP/HTTPS/FTP traffic to the (local) httpproxy/httpsproxy/ftpproxy | |
| iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # HTTP | |
| iptables -t nat -A PREROUTING -i br0 -p tcp --dport 8080 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # HTTP | |
| iptables -t nat -A PREROUTING -i br0 -p tcp --dport 7777:7877 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # Oracle HTTP | |
| iptables -t nat -A PREROUTING -i br0 -p tcp --dport 5000 -j DNAT --to $HOST_IP_ON_BRIDGE:9005 # Webstore HTTP | |
| iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to $HOST_IP_ON_BRIDGE:9006 # HTTPS | |
| iptables -t nat -A PREROUTING -i br0 -p tcp --dport 21 -j DNAT --to $HOST_IP_ON_BRIDGE:9004 # FTP | |
| # Traffic for dataproxy (port 9003) routes to another box on port 9003 | |
| # XXX we need this ip_forward, while using MASQUERADE | |
| echo 1 > /proc/sys/net/ipv4/ip_forward | |
| iptables -t nat -A POSTROUTING -p tcp --dport 9003 --destination $DATAPROXY_IP -j MASQUERADE | |
| # Block any new TCP/IP connections going anywhere else | |
| iptables -i br0 -p tcp --syn -A INPUT -d $HOST_IP_ON_BRIDGE --dport 9004 -j ACCEPT # FTP proxy | |
| iptables -i br0 -p tcp --syn -A INPUT -d $HOST_IP_ON_BRIDGE --dport 9005 -j ACCEPT # HTTP proxy | |
| iptables -i br0 -p tcp --syn -A INPUT -d $HOST_IP_ON_BRIDGE --dport 9006 -j ACCEPT # HTTPS proxy | |
| iptables -i br0 -p tcp --syn -A INPUT -d $DATAPROXY_IP --dport 9003 -j ACCEPT # Dataproxy | |
| iptables -i br0 -p tcp --syn -A INPUT -j DROP | |
| # Allow UDP packets for DNS only to $HOST_IP_ON_BRIDGE and back, and no other UDP packets | |
| # See http://www.cyberciti.biz/tips/linux-iptables-12-how-to-block-or-open-dnsbind-service-port-53.html | |
| iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $HOST_IP_ON_BRIDGE --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -p udp -s $HOST_IP_ON_BRIDGE --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT | |
| iptables -A INPUT -p udp -s 0/0 --sport 53 -d $HOST_IP_ON_BRIDGE --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
| iptables -A OUTPUT -p udp -s $HOST_IP_ON_BRIDGE --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT | |
| iptables -i br0 -p udp -A INPUT -j DROP | |
| # Debugging - show all: | |
| iptables -t nat -L -v; iptables -L -v | |
| sysctl -w net.ipv4.ip_forward=1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment