VMmanager 5 OVZ: Administrator guide

Firewall

Netfilter is a framework provided by Linux that allows for various networking-related operations. There are a number of frameworks for firewall management, such as iptables (manages IPv4 packets), ip6tables (manages IPv6 packets), ebtables (manages ethernet bridges).

How it works

When adding a cluster node, VMmanager creates there the /usr/local/mgr5/etc/iptables.rules.d and /usr/local/mgr5/etc/ip6tables.rules.d  directories and adds thee files with iptables and ip6tables rules into those directories. The files are overwritten when the panel restarts. The rules are uploaded in a certain order which is defined by the first two symbols of the name (00-99). E.g., 123 means that the rule will be handled 23th in succession; _21 means that the system will handle it after 99.

Files have the following names:

NN_name.rule
View details

On Debian execute the commands iptables-save and iptables-restore to save the rules iptables and ip6tables and apply them automatically after server restart.  In the /etc/network/if-up.d/ directory the system creates a script that will be executed automatically when setting up the network interface and will run the command iptables-restore.

Standard rules

When you install VMmanager and add a cluster node, the iptables rules for modules and control panel services are added for the control panel: 

iptables -I FORWARD -p all -j ACCEPT
ip6tables -I FORWARD -p all -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 111 -j ACCEPT
iptables -I INPUT 2 -p udp --dport 111 -j ACCEPT
iptables -I INPUT 3 -p tcp --dport 2049 -j ACCEPT
iptables -I INPUT 4 -p udp --dport 2049 -j ACCEPT

Adding rules

To add a rule, navigate to Cluster settings → Firewall → Add.

Note
Do not change or delete the standard rules, as they can be overwritten after VMmanager updates.