RHV: How to customize the Host's firewall rules?
Environment
- Red Hat Virtualization 3.5, 3.6, 4.x
- Red Hat Virtualization Host
- Red Hat Enterprise Linux Host
Issue
- I need to customize RHV firewall (iptables) rules.
- How do I save the rules so that they persist across a reboot?
- This needs to be done in a manageable way.
Resolution
The resolution depends on the Cluster Level. If the cluster level is set as 4.1 or lower, then iptables rules are used. If it is 4.2 or higher then firewalld are used. If there are clusters on both 4.1 and 4.2+ levels, both settings can coexist. Therefore:
| Cluster Level | Firewall Rules |
|---|---|
| 4.1 and lower | iptables |
| 4.2 and higher | firewalld |
Please check the Cluster Level and then choose one of the solutions below.
Cluster Level 4.2 and higher: firewalld
1. SSH to RHV-M.
2. Add an ansible task configuring firewalld at the end of the following file:
/etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml
For example:
$ cat << EOF >> /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml
> ---
> - name: Enable custom firewall port
> firewalld:
> port: "12345/tcp"
> permanent: yes
> immediate: yes
> state: enabled
>
> - name: Print debug information
> debug:
> msg: "My custom tasks was successfully executed!"
> EOF
From this point on all newly installed hosts will be configured with the new rules. For existing Hosts, please switch to Maintenance Mode, Click Reinstall, make sure Automatically configure host firewall is checked (Firewall Managed by RHV-M). Then activate again.
NOTE: Direct rules are not supported on firewalld ansible module. Those kind of rules will need to be manually set on each host after installation/addition
An example, the following rule will redirect the icmp traffic on @gateway-ip@ back to localhost:
# firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p icmp -d @gateway-ip@ -j DNAT --to-destination 127.0.0.1
Cluster Level 4.1 and lower: iptables
1. SSH to RHV-M.
2. Check the default rules:
# engine-config -g IPTablesConfig
IPTablesConfig:
# oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# vdsm
-A INPUT -p tcp --dport @VDSM_PORT@ -j ACCEPT
# ovirt-imageio-daemon
-A INPUT -p tcp --dport 54322 -j ACCEPT
# rpc.statd
-A INPUT -p tcp --dport 111 -j ACCEPT
-A INPUT -p udp --dport 111 -j ACCEPT
# SSH
-A INPUT -p tcp --dport @SSH_PORT@ -j ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT
# Cockpit
-A INPUT -p tcp --dport 9090 -j ACCEPT
@CUSTOM_RULES@
# Reject any other input traffic
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
COMMIT
version: general
3. Add your custom rule in IPTablesConfigSiteCustom:
# engine-config -s IPTablesConfigSiteCustom="-A INPUT -s 192.168.200.1/32 -j DROP"
6. Check your custom rule:
# engine-config -g IPTablesConfigSiteCustom
IPTablesConfigSiteCustom: -A INPUT -s 192.168.200.1/32 -j DROP version: general
7. Restart ovirt-engine.
- RHEL 7 (RHV 4.x)
# systemctl restart ovirt-engine
- RHEL 6 (RHV 3.x)
# service ovirt-engine restart
From this point on all newly installed hosts will be configured with the new rules. For existing Hosts, please switch to Maintenance Mode, Click Reinstall, make sure Automatically configure host firewall is checked (Firewall Managed by RHV-M). Then activate again.
Root Cause
The iptables/firewalld rules are managed by RHV-M, unless specifically configured to not to.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.