Firewall configuration

Netfilter is a framework provided by Linux that allows various networking-related operations. There is a number of frameworks for firewall management, such as iptables (manages IPv4 packets), ip6tables (manages IPv6 packets), ebtables (manages ethernet bridges).

How it works

VMmanager uses standard ebtables rules pre-installed by libvirt. Restarting libvirtd will restart all the frameworks for netfilter.

When adding a cluster node, VMmanager creates there the /etc/vmmgr/iptables.rules.d and /etc/vmmgr/ip6tables.rules.d directories and adds thee files with iptables and ip6tables rules into those directories. The files are overwritten when the panel restarts. The rules are uploaded in a certain order which is defined by the first two symbols of the name (00-99). E.g., 123 means that the rule will be handled 23th in succession; _21 means that the system will handle it after 99.

Files have the following names:

NN_name.rule

The file contains iptables rules that will be executed one by one.

Standard rules

cat /etc/vmmgr/iptables.rules.d/00_prepare.rule
# ISPsystem firewall rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-F INPUT
-F FORWARD

cat /etc/vmmgr/iptables.rules.d/20_vmmgr.rule
# ISPsystem firewall rules
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dport 111,662,892,1515,2049,32803 -j ACCEPT 
-A INPUT -p udp -m multiport --dport 662,892,2049,32769 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 5900:6900 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 15900:16900 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 49152:49261 -j ACCEPT

cat /etc/vmmgr/ip6tables.rules.d/00_prepare.rule
# ISPsystem firewall rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-F INPUT
-F FORWARD

Adding rules

To add a rule, navigate to Cluster settings → Firewall → Add to add custom rules in VMmanager. You can also add them by creating files manually.