Solved: Re: Use iptables instead of esxcfg-firewall ?

tabit · ‎08-03-2007

I could not find a way to specify source or destination ip for esxcfg-firewall and some other features available in iptables. I also have some well designed iptables template to use.

So can I disable it by using "chkconfig firewall off" and enable iptables instead?

Any pros and cons?

Thanks!

Texiwill · ‎08-04-2007

Hello,

Actually it is possible to use your own iptables firewall options with ESX's iptables firewall tools. For example, I add in host based rules by editing the rules after ESX sets up its firewall. This way I get my host based lockdowns and all of ESXs basic rules (which are actually very good).

You have to know iptables very well to do this however and you need to add something to /etc/rc.d/rc.local to call your script and put a wrapper around esxcfg-firewall.

I personally use the above method as I really do like the way ESX handles things currently and my small changes for host lockdowns are only for those items /etc/hosts.allow and /etc/hosts.deny (tcpwrappers) does not cover.

Best regards,

Edward

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

esiebert7625 · ‎08-03-2007

Here's a good ESX firewall guide...

Esxcfg-firewall - http://download3.vmware.com/vmworld/2006/labs2006/vmworld.06.lab05-SECURITY-MANUAL-APPENDIX.pdf

Fyi…if you find this post helpful, please award points using the Helpful/Correct buttons.

-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-

Thanks, Eric

Visit my website: http://vmware-land.com

-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-

vangoge · ‎08-04-2007

Hi,

the firewall of ESX 3 is based on the iptables.

Gert

Texiwill · ‎08-04-2007

Hello,

Actually it is possible to use your own iptables firewall options with ESX's iptables firewall tools. For example, I add in host based rules by editing the rules after ESX sets up its firewall. This way I get my host based lockdowns and all of ESXs basic rules (which are actually very good).

You have to know iptables very well to do this however and you need to add something to /etc/rc.d/rc.local to call your script and put a wrapper around esxcfg-firewall.

I personally use the above method as I really do like the way ESX handles things currently and my small changes for host lockdowns are only for those items /etc/hosts.allow and /etc/hosts.deny (tcpwrappers) does not cover.

Best regards,

Edward

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

tabit · ‎08-06-2007

Thank you guys! I finally decide to go with iptables. So far so good.

What i did:

#cp my-iptables-template /etc/sysconfig/iptables

chkconfig firewall off

chkconfig iptables --level 2345 on

service firewall stop

service iptables start

When the ESX server reboot, it will load iptables from init scripts automatically

The only problem I see so far is if you have a HA cluster, and an HA agent need to be disabled and enabled on a ESX host. The ESX firewall will be started during this process. it will flush your own iptables rules. I have to manually do the service firewall stop and service iptables start to get my rules back.

Greg_Fe · ‎11-09-2007

Eric,

Your link is no longer active. could you please Email me another copy of the link?

Thank You,

Greg

feingogm@bettis.gov

agcastle2000 · ‎04-16-2008

Eric,

As rightly said by Greg, the link is no longer active.

Can you also please email me the file or another copy of the link?

Thanks,

Archie

agcastle2000@yahoo.com

All

Use iptables instead of esxcfg-firewall ?