Re: ESX server lockdown / iptables

dmagnoni · ‎03-30-2009

Hi all,

I'm using iptables to hardening the service console.

Can the iptables settings be saved permanently? Each time server reboots or HA reconfigured the standard iptables are restored.

I'm using vmware ESX 3.5.

Many thanks.

d

depping · ‎03-30-2009

It's not supported as far as I know. use esxcfg-firewall, that's what it's for... You can create your own rules etc.

Duncan

VMware Communities User Moderator

-

Blogging:

Twitter:

If you find this information useful, please award points for "correct" or "helpful".

AWo · ‎03-30-2009

If you want to make "iptables" settings permanent you need to put them into a shell script and run that after the Console has booted.

But why don't you use the VMware ESX standard tool for configuring the firewall (esxcfg-firewall)? These settings are permanent.

If you found this information useful, please consider awarding points for "Correct" or "Helpful" replies. Thanks!!

AWo

VCP / vEXPERT 2009

vExpert 2009/10/11 [:o]===[o:] [: ]o=o[ :] = Save forests! rent firewood! =

dmagnoni · ‎03-30-2009

I need to limit the hosts (ip address) with access permission.

d

AWo · ‎03-30-2009

For which service? Secure Shell?

If you found this information useful, please consider awarding points for "Correct" or "Helpful" replies. Thanks!!

AWo

VCP / vEXPERT 2009

vExpert 2009/10/11 [:o]===[o:] [: ]o=o[ :] = Save forests! rent firewood! =

dmagnoni · ‎03-30-2009

Hi,

for all services/traffic.

Thanks

AWo · ‎03-30-2009

You can disable open ports with the "esxcfg-firewall" command.

For SSH (Console access) you can create netgroups and use the "/etc/ssh/sshd_config". For NTP you can restrict the addresses in the "/etc/ntp.conf" file.

Do you use a VCenter Server or the VI Client to connect to the ESX server? If I assume that ssh, ntp and VI Client/VCenter are the minimum number of services which need open ports, VI Client/VCenter are the only things where I don't know how to restrict IP addresses here. But to get an ESX host into a different VCenter you need the "root" password.

By the way, you can use the VI client to perform most of these actions.

Do you think you still need to restrict by IP addresses then? So, if you need to go with "iptables" put your "iptables" commands into a shell script and add it to the startup sequence. I would start with deleting all rules and add my settings and rules after that.

If you found this information useful, please consider awarding points for "Correct" or "Helpful" replies. Thanks!!

AWo

VCP / vEXPERT 2009

vExpert 2009/10/11 [:o]===[o:] [: ]o=o[ :] = Save forests! rent firewood! =

Texiwill · ‎03-31-2009

Hello,

For most tools you can use /etc/hosts.allow and /etc/hosts.deny including SSH, and PAM based tools such as hostd. You can also use PAM lockdown by using pam_access.so to create the necessary rules.

Between TCP wrappers and pam_access.so you will get most services that are running on the box. if not all of them.

As a last resort you can resort to modifying iptables. If you go the iptables route then you should create a script and call it from within /etc/rc.d/rc.local as that is the last thing that is called. You should not use the iptables service.

Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

All

ESX server lockdown / iptables