PDA

View Full Version : proxmox personal firewall on PVE host and port 80-443



elkondor
06-29-2010, 02:34 AM
I have a problem to create iptables rule to forward port in some vm machine, situation:

route -> dmz on proxmox host -> iptable drop input (an open only port needed) and forward some port to vm machine.

i have no problem to forward any type of port, but 80 an 443 (used from proxmox) in the problem if i forward, the rule not work.

it possible change default port of proxmox gui? 80 an 443?
how work 80-443 promox redirect? is proxmox than block port 80?

to access on webgui i can ssh tunneling on the PVE host

my firewall sample: (some rule are cut)

#!/bin/sh
#
#
#ssh -L 12345:remotesite.com:80 utente@serversshremoto.com
#ssh -L 443:10.2.2.100:443 10.2.2.100 accesso per webgui

#IP eth0/vmbr0 reale
IP_REALE=192.168.1.200 <- real machine

IP_VMSMARTINO=192.168.1.201
IP_VMLAMP=10.2.2.202



echo "Start Firewall locale..."

# TUNING KERNEL
# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 8192 > /proc/sys/net/nf_conntrack_max #16384

# PULIZIA TABELLE
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

# POLICY TABELLE
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


# NAT macchine virtuali su vmbr1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE

# regole reale
iptables -A INPUT -p all -m state --state established,related -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 5022 -j ACCEPT
iptables -A INPUT -p tcp --dport 83 -j ACCEPT #redirect ssh amministrazione
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT #redirect locale ssh amministrazione


#input servizi
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #redirect locale ssh amministrazione e webserver
iptables -A INPUT -p tcp --dport 11022 -j ACCEPT
iptables -A INPUT -p tcp --dport 12022 -j ACCEPT
iptables -A INPUT -p tcp --dport 21022 -j ACCEPT
iptables -A INPUT -p tcp --dport 22022 -j ACCEPT
iptables -A INPUT -p tcp --dport 23022 -j ACCEPT
iptables -A INPUT -p udp --dport 23194 -j ACCEPT
iptables -A INPUT -p tcp --dport 23194 -j ACCEPT

## SMARTINO

#201
# Forward zimbra
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 11022 -j DNAT --to-destination $IP_VMSMARTINO:22
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 81 -j DNAT --to-destination $IP_VMSMARTINO:80
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 7071 -j DNAT --to-destination $IP_VMSMARTINO:7071
# Ovpn smartino-agricoop sedi
iptables -t nat -A PREROUTING --dst $IP_REALE -p udp --dport 11194 -j DNAT --to-destination $IP_VMSMARTINO:1194


## ASSO


#202
# Forward vmlamp virtualhost
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 8080 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 80 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 443 -j DNAT --to-destination $IP_VMLAMP:443
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 22022 -j DNAT --to-destination $IP_VMLAMP:22

help please :(

dietmar
06-29-2010, 08:49 AM
it possible change default port of proxmox gui? 80 an 443?
how work 80-443 promox redirect? is proxmox than block port 80?


The apache config is in

/etc/apache2/sites-enabled/pve.conf
/etc/apache2/ports.conf

port 80 is not really needed, so you can change that.

I never tested changing port 443 - I am not sure that you can do that.

elkondor
06-29-2010, 12:29 PM
if i change this 2 file and the correct port section, there is no problem in vnc console or other setting in webgui? netcat redir or other?

I'm starting to think that the problem is the TELECOM italian pirelli router.... :mad: bad product.... i reset/reconfigure dmz and test it.....

Tnks for now!

dietmar
06-29-2010, 02:27 PM
if i change this 2 file and the correct port section, there is no problem in vnc console or other setting in webgui? netcat redir or other?

I do not know (I do not test that) - you need to test that yourself.