Search icon Close icon
Search icon
Subscription
0
Cart icon
Close icon
You have no products in your basket yet
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Mastering Proxmox. - Second Edition

You're reading from  Mastering Proxmox. - Second Edition

Product type Book
Published in May 2016
Publisher Packt
ISBN-13 9781785888243
Pages 418 pages
Edition 2nd Edition
Languages
Concepts
Author (1):
Wasim Ahmed Wasim Ahmed
Profile icon Wasim Ahmed
LinkedIn
Wasim Ahmed, born in Bangladesh and now a citizen of Canada, is a veteran of the IT world. He first came into close contact with computers in 1992 and never looked back. Wasim has a deep understanding of networks, virtualization, big data storage, and network security. By profession, Wasim is the CEO of a global IT support and cloud service provider based in Calgary, Alberta. He serves many companies and organizations through his company on a daily basis. Wasim's strength comes from his experience, which comes from learning and serving continually. Wasim strives to find the most effective solution at the most competitive price. He has built over 20 enterprise production virtual infrastructures using Proxmox and the Ceph storage system. Wasim and his team are notorious for not simply accepting a technology based on its description alone, but putting it through rigorous testing to check its validity. Any new technology that his company provides goes through months of continuous testing before it is accepted. Proxmox made the cut superbly.
See other products by Wasim Ahmed

Table of Contents (21) Chapters

Mastering Proxmox - Second Edition
Credits
About the Author
About the Reviewer
www.PacktPub.com
Preface
1. Understanding Proxmox VE and Advanced Installation 2. Exploring the Proxmox GUI 3. Proxmox under the Hood 4. Storage Systems 5. KVM Virtual Machines 6. LXC Virtual Machines 7. Network of Virtual Networks 8. The Proxmox Firewall 9. Proxmox High Availability 10. Backup/Restore VMs 11. Updating and Upgrading Proxmox 12. Monitoring a Proxmox Cluster 13. Proxmox Production-Level Setup 14. Proxmox Troubleshooting Index

Chapter 8. The Proxmox Firewall

The Proxmox VE firewall is a security feature that allows easy and effective protection of a virtual environment for both internal and external network traffic. By leveraging this firewall, we can protect VMs, host nodes, or the entire cluster by creating firewall rules. By creating rules at the virtual machine level, we can provide total isolation for VMs to VM network traffic, including VMs to external traffic. Prior to the Proxmox VE firewall, security and isolation was not possible at the hypervisor level. In this chapter, we will cover the following topics of the Proxmox VE firewall:

  • Exploring the Proxmox VE firewall

  • Configuring the cluster firewall rules

  • Configuring the host firewall rules

  • Configuring the VM firewall rules

  • Integrating a Suricata IPS

  • Enabling the IPv6 firewall

  • Firewall CLI commands

Exploring the Proxmox VE firewall

The Proxmox VE firewall leverages iptables of each Proxmox node for protection. Iptables is an application that allows you to manage rules tables for the Linux kernel firewall. All firewall rules and configurations are stored in the Proxmox cluster filesystem, thus allowing a distributed firewall system in the Proxmox cluster. The pre-firewall service provided by Proxmox of each node reads the rules and configurations from the cluster filesystem and automatically adjusts the local iptables. Rules can be fully created and maintained by the Proxmox GUI or CLI. The Proxmox firewall can be used in place of a virtualized firewall in the cluster.

Note

Although the Proxmox firewall provides excellent protection, it is highly recommended that you have a physical firewall for the entire network. This firewall is also known as an edge firewall since it sits at the main entry point of the Internet. The Internet connection should not be directly connected to Proxmox nodes...

Configuring the Datacenter-specific firewall

As mentioned earlier, Datacenter-specific firewall rules affect all resources, such as cluster, nodes, and virtual machines. Any rules created in this zone are cascaded to both hosts and VMs. This zone is also used to fully lock down a cluster to drop all incoming traffic and then only open what is required. In a freshly installed Proxmox cluster, the Datacenter-wide firewall option is disabled.

Note

CAUTION! Attention must be given to this section to prevent full cluster lock out.

Configuring the Datacenter firewall through the GUI

The following screenshot shows the firewall option for the Datacenter zone through the Options tab by navigating to Datacenter | Firewall | Options:

As we can see, in the preceding screenshot, the Proxmox firewall for the Datacenter zone is disabled by default, with Input Policy set to Drop and Output Policy set to Accept. If we did enable this firewall option right now, then all inbound access would be denied. You would...

Configuring a host-specific firewall

Any rules created in the host zone only apply to the node itself where the rule is created and the VMs are in that host node. Rules for one node do not get replicated to the other nodes although the rule files are stored in the Proxmox cluster filesystem. There are no options to create IPSet or Security Groups in the host zone. We can only create firewall rules. The following screenshot shows the Firewall feature for the host node pm4-1 in our example cluster:

Creating host firewall rules

The process of creating new rules for the Host zone is identical to the rule creation process that we have already discussed in the Configuring a datacenter-specific firewall section earlier in this chapter. Besides creating rules from scratch, we can also assign predefined rules in the form of a Security Group to a node. We cannot create a new Security Group under the host firewall menu, but we can assign it some predefined rules. For example, earlier in this chapter...

Configuring a VM-specific firewall

Rules created for a VM only apply to that particular virtual machine. Even when the virtual machine is moved to a different node, the firewall follows the VM throughout the cluster. There are no rules cascading from this zone. Under the VM firewall feature, we can create Rules, Aliases, and IPSets, but we cannot create any security group. The firewall management is the same for both the KVM virtual machines and LXC containers. We can go to the firewall feature of a VM by navigating to the VM | Firewall tab menu. The following screenshot shows the firewall feature of our example VM #112:

Creating VM firewall rules

The process of creating new rules for a VM is identical to the rule creation process that we have already seen in the Configuring the Datacenter firewall through the CLI section earlier in this chapter. Besides creating rules from scratch, we can also assign predefined rules in the form of a Security Group to a VM. The preceding screenshot shows...

Integrating a Suricata IDS/IPS

The security protection of the Proxmox VE firewall can be further enhanced by configuring an intrusion detection and prevention system such as Suricata. It is a high-performing IDS/IPS engine that is able to protect a virtual machine by rejecting traffic that are possible intrusions. Currently, Snort and Suricata are two open source main stream IDS/IPS available among a few others. One of the primary advantages of Suricata is that it is multithreaded, whereas Snort is single-threaded. Suricata is under rapid deployment and gaining popularity fast in the security community.

By default, Suricata is not installed on a Proxmox node, it needs to be manually installed and configured. As for Proxmox VE 4.1, Suricata can only be used to protect a virtual machine, not any Proxmox host nodes.

Note

Do not try to manually download the Suricata package from any other source other than the Proxmox repository and install it on the Proxmox node. It may break the system. Always...

Summary

In this chapter, we learned about one of the most powerful features of Proxmox, the built-in firewall. We learned what it is and how to implement it to protect the entire cluster, Proxmox host nodes, and virtual machines. We learned how to manage the firewall rules and configuration using both the GUI and CLI. Proxmox adds security where it is needed the most. By leveraging a flexible and granular firewall protection at a hypervisor level, we are now able to have a better, secured cluster.

In the next chapter, we are going to learn about the Proxmox High Availability feature for VMs, which has been completely redesigned from the ground up. The new changes have brought higher stability while making management and configuration a much simpler task.

lock icon The rest of the chapter is locked
arrow left Previous Chapter
Chapter 1 of 21
Next Chapter arrow right
You have been reading a chapter from
Mastering Proxmox. - Second Edition
Published in: May 2016 Publisher: Packt ISBN-13: 9781785888243
© 2016 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime}

Authors (1)

Profile icon Wasim Ahmed
LinkedIn
Wasim Ahmed, born in Bangladesh and now a citizen of Canada, is a veteran of the IT world. He first came into close contact with computers in 1992 and never looked back. Wasim has a deep understanding of networks, virtualization, big data storage, and network security. By profession, Wasim is the CEO of a global IT support and cloud service provider based in Calgary, Alberta. He serves many companies and organizations through his company on a daily basis. Wasim's strength comes from his experience, which comes from learning and serving continually. Wasim strives to find the most effective solution at the most competitive price. He has built over 20 enterprise production virtual infrastructures using Proxmox and the Ceph storage system. Wasim and his team are notorious for not simply accepting a technology based on its description alone, but putting it through rigorous testing to check its validity. Any new technology that his company provides goes through months of continuous testing before it is accepted. Proxmox made the cut superbly.
Read more
See other products by Wasim Ahmed

Personalised recommendations for you

Based on your interests and search pattern
Left arrow icon
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions
Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.
Aug 2023 17 hours 28 minutes
Microsoft 365 Security, Compliance, and Identity Administration
Microsoft 365 Security, Compliance, and Identity Administration
The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.
Aug 2023 21 hours 0 minutes
Zero Trust Overview and Playbook Introduction
Zero Trust Overview and Playbook Introduction
Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.
Oct 2023 8 hours 0 minutes
The Self-Taught Cloud Computing Engineer
The Self-Taught Cloud Computing Engineer
This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.
Sep 2023 15 hours 44 minutes
Technology Operating Models for Cloud and Edge
Technology Operating Models for Cloud and Edge
This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.
Aug 2023 7 hours 36 minutes
Azure Architecture Explained
Azure Architecture Explained
Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.
Sep 2023 14 hours 52 minutes
Pentesting Active Directory and Windows-based Infrastructure
Pentesting Active Directory and Windows-based Infrastructure
This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.
Nov 2023 12 hours 0 minutes
Practical Ansible
Practical Ansible
In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.
Sep 2023 14 hours 0 minutes
Windows 11 for Enterprise Administrators
Windows 11 for Enterprise Administrators
Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.
Oct 2023 9 hours 32 minutes
The Linux DevOps Handbook
The Linux DevOps Handbook
This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.
Nov 2023 14 hours 16 minutes
Right arrow icon