We have been using CSF on a virtualized (OpenVZ) environment successfully for a while now where the host and virtual machines each run their own CSD instance. We have now mixed venet with bridged interfaces by adding some redirect rules:
iptables -t nat -A POSTROUTING -s "10.0.0.0/24" -o vmbr0 -j MASQUERADE
And we were hoping to open some ports via the host to the local virtual machines but limiting it only to certain IPs
With the redirect feature on CSF firewall this works great, but the IP reported is the host one, not the originating IP so we can not limit it with another CSF instance (or simple firewall rule) on the destination virtual system.
We thought that CSF was "firewalling" those redirects before "natting" them, but only now have realized it does not!!
The CSF readme actually states "All redirections to another IP address will always appear on the destination server with the source of this server, not the originating IP address." so this is a standart feature.
We have attached the current aprox network config and ip routes.
What we are looking is for a tested enviroiment that works on this basis solving the 2 major issues we currently have:
- traffic between "local" ips bridged to venet ones originates from "host". This is... [url removed, login to view] (bridged) traffic to [url removed, login to view] (venet) reports as originating from hosts IP
- we need CSF redirect rules to be parsed by the firewall and/or that the redirects pass the ioriginating IP to the containers so we can firewall there.
-- the solution might be to create all the NAT rules manually with masquerading and including them on a "post" script that CSF executes and ignore the "redirect" feature there.
We would like to recieve the network configuration + required ip route commands + iptables rules to be loaded by CSF if requried.
The supplier will have to emulate and test on his own enviroiment the solution, with full payment once we have implemented them on our own setup.