-A POSTROUTING -s 10.1.0.0/24 ! -d 10.1.0.0/24 -o enp5s0 -j MASQUERADE
.. is set by crontab at boot (i know, it's not very clean).
I modify the vmbr0 configuration by removing the public ip, removed the destination exclusion on iptables nat rules, and got the same result.
I re-read the doc and...
on vm112
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug ens18
iface ens18 inet static
address 10.1.0.112
netmask 255.255.255.0
gateway 10.1.0.2
iface ens18 inet6 dhcp
An no iptables rules
On the node...
I must have messed up the test .. with the rule enabled I don't have any tcpdump trace when pinging 1.1.1.1.
For 8.8.8.8, I still only get icmp echo request and no reply.
It works for other vm on the same cluster even the same node.
I find the only difference between them and VM112.
It...
Strange thing, the same rule on the other node of my cluster works. I'm quite lost on this one ...
edit : and it's working on another vm on the same node as 112 ... o_O
With firewall enabled (and MAC filtering disabled).
For vmbr1 and enp5s0, results are the same :
ping 1.1.1.1 from VM
tcpdump -i enp5s0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp5s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes...
well not so fast for me .. @Chris, sorry :)
Firewalled interface works but it also block all outbound traffic (output policy on the VM & Datacenter is set to ACCEPT)
In the log I can see the drop packet for icmp 1.1.1.1, but no log for other requests.
If I set my rule ACCEPT, i still can't...
thank you for the quick reply.
However 2 things :
I don't have chain named "tap112i0-OUT"
Even with your rules and a reboot of the vm, I can still ping 1.1.1.1
Could it be link to my ip forwarding rules on the node ? (vm has only a local ip, and everything is routed throught the node with...
Hi
I'm trying to block some simple outbound traffic from a specific VM.
Firewall is enable on the datacenter lever, on the node level and on the VM level (name "hub", ip "10.1.0.112").
I'm trying to block icmp to 1.1.1.1.
root@marvin:/etc/pve/firewall# cat 112.fw
[OPTIONS]
ipfilter: 1
enable...
#proxmox-boot-tool status
Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
System currently booted with legacy bios
FEE5-D6E7 is configured with: uefi (versions: ), grub (versions: 5.13.19-6-pve, 5.15.30-2-pve)
FEE6-D626 is configured with: uefi (versions: ), grub...
I used this one :
- I assume that the system is booted and always will remain booting with legacy bios and not UEFI:
- mount each of the ESPs manually
- in the mountpoint remove e.g. for kernel 5.4.103-1-pve:
- remove /mountpoint/EFI/proxmox/5.4.103-1-pve
- remove...
I'm a little lost on this boot-mode .. sorry.
I don't remember changing the boot-mode, but i do remember that on migration between pve 6 to 7, I did some checks with proxmox-boot-tool.
efibootmgr -v
EFI variables are not supported on this system.
So, i'm using legacy mode, right ? but with...
I think I should follow this thread : https://forum.proxmox.com/threads/dpkg-hanging-when-upgrading-pve-kernel.95077/#post-412898
But, I have 3 nvme disk on a zfs raidz configuration:
nvme2n1 259:0 0 476.9G 0 disk
├─nvme2n1p1 259:1 0 1007K 0 part
├─nvme2n1p2 259:2 0 512M 0...
Didn't work, and I think I broke something :
apt remove --purge pve-kernel-5.11.22-1-pve
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
pve-kernel-5.11.22-1-pve
0 upgraded, 0 newly installed, 1 to remove...
Hi
Usual upgrade today, to "Setting up pve-kernel-5.15.30-2-pve".
Unsual answer from proxmox
Setting up pve-kernel-5.15.30-2-pve (5.15.30-3) ...
Examining /etc/kernel/postinst.d.
run-parts: executing /etc/kernel/postinst.d/apt-auto-removal 5.15.30-2-pve /boot/vmlinuz-5.15.30-2-pve
run-parts...
The topic title has been deliberately shortened, I usually run apt update && apt dist-upgrade.
So, how could I prevent the removal of proxmox-ve and pve-firmware ?
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.