[one-users] Dynamic firewall like Amazon

Ruben S. Montero rubensm at dacya.ucm.es
Tue Feb 1 13:44:43 PST 2011 

Hi,

It is easy to mimic the EC2 security groups in OpenNebula. As said before in
this thread, OpenNebula can be adapted to your network architecture. I'll
give you a couple of hints here and let us know if you need more help:


   - Let assume that your VMs are connected to the Internet through a
   predefined *network* named *"Public". *The network is defined as usual in
   OpenNebula.
   - VMs attached to this network do have access to the Internet and are
   given a public IP. Let's assume that you palce a VM in that network and
   only connections to TCP ports 22 and 80 are allowed. The *VM template* to
   get a lease from that network could be

...
NIC = [ NETWORK = "Public", IN_TCP_PORTS = "22 80" ]
...


   - Now you have to configure a hook that automatically set an iptables
   rule for the VM interface attached to the bridge used by that network (we
   are setting the firewall from the outside). You have to pass the ports you
   want to open, the *hook in oned.conf* would be:

...
VM_HOOK = [
    name      = "myiptables",
    on        = "running",
    command   = "/srv/cloud/one/share/hooks/myiptables",
    arguments = '$NIC[IN_TCP_PORTS, Network = "Public"]',
    remote    = "yes" ]
 ...


   - You have to *develop the myiptables* scripts and should be placed in
   your hosts in the cluster, (the remotes location is a good place). You can
   use the $ONE_LOCATION/share/hooks/ebtables script as an starting point. You
   have xen and kvm versions.
   - *Final touches*, you may need some configurations: the hooks are
   executed by oneadmin so you may need to grant access oneadmin to some
   network utils in the /etc/sudoers file. Also you probably want to remove the
   rules when the VM is shutdown, there is also and ebtables_flush script that
   you can use as inspiration to create other VM hook. Take a look to the
   Network guide to get an idea of the overall process [1],

Also you can do this through the CONTEXT section. In this case the firewall
is set from the inside. Drawbacks are: solution is OS specific and firewall
rules can be bypassed (either intentionally or not). In this case you have
to create an script that creates the firewall configuration of the VM.
Setting the specific ports in a VM template could look like:

CONTEXT = [ IN_TCP_PORTS = "22 80" ]

But this is just the easy part, you have to prepare the context scripts to
deal with the OUT_TCP_PORTS variable [1]

Just a final thought, Eucalyptus and maybe others provide this
out-of-the-box but the price of this is too high, IMHO. OpenNebula does not
require any specific network setup in your hosts, and it gives you more
flexibility (i.e. multiple NICs on a VM attached to different networks).
Trying to cover as much hw configurations as possible prevents some
straight-forward configurations. Nevertheless balance is always a desirable
state, Do you think that we should include this in the distro +
documentation?

Cheers

Ruben

REFERENCES
[1] http://www.opennebula.org/documentation:rel2.0:nm
[2] http://www.opennebula.org/documentation:rel2.0:cong


On Tue, Feb 1, 2011 at 8:12 PM, Toens Bueker <
toens.bueker at lists0903.nurfuerspam.neuroserve.de> wrote:

> Zeeshan Ali Shah <zashah at pdc.kth.se> wrote:
>
> > No Firewall yet  , that is i am asking how to put mechanism like
> > Security Group of amazon . preferably with out any HW (if possible)
>
> OpenNebulas components allow you to implement and manage virtual
> networks on physical infrastructure.
>
> I'm not really sure where a "NATing device" should be implemented. As
> you use the Xen hypervisor you could implement routed (not bridged)
> network interfaces.
>
> But that is not an issue, which would be solved in a management
> software component like OpenNebula (as there are so many possibilities
> to implement such a solution).
>
> If you have a solution for your problem, I'm sure it should be
> possible to adapt OpenNebula to it.
>
> Regards,
> Töns
> --
> There is no safe distance.
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Dr. Ruben Santiago Montero
Associate Professor (Profesor Titular), Complutense University of Madrid

URL: http://dsa-research.org/doku.php?id=people:ruben
Weblog: http://blog.dsa-research.org/?author=7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110201/897439f1/attachment-0003.htm>

More information about the Users mailing list