Block access to Proxmox through one NIC (firewall)

K

kbrault

Renowned Member
May 14, 2012
40
0
71
I know this has been asked a thousand times .....

I would like to use Proxmox to test various software firewalls. My plan is to install the software firewalls as VM’s and isolate Proxmox from the internet. I have read many of the forum postings and I am not clear on how to do this.

What I have is:


Internet
|
eth1 (192.168.1.1 or anything else) bridged to vmbr1
|
vmbr1 set to software firewall external port (static internet address, 64.xx.xx.xx)
|
vmbr0 set to software firewall internal port (static internal address, 10.10.1.1)
|
eth0 (10.10.1.254) bridged to vmbr0
|
Internal Network


What I want is any traffic coming to eth1 to be dropped or be redirected to vmbr1. Proxmox would only be accessed through eth0.

How would I accomplish this?

Thank you in advance for your help.

Kevin
 
It looks like the preferred solution is to configure and use shorewall to do it. You'll want to set up 3 different zones, and define how traffic can move between the three.

In my case, I want to install a web filter/firewall as a VM, so I will have to figure out how to tell shorewall to send all traffic on the external bridge to a specific tap.

Searches tell me that most questions like this on the forum do not get answered, so your best bet is to google "shorewall on proxmox" and study the guides you find. When you get it figured out, add a nice wiki entry so that others can learn from what you did. I find that documenting what you learned for others will help reinforce what you have just learned as well :).
 
As a quick solution don't assign a IP to vmbr1 for PVE Host, so the VM connected to vmbr1 will be the only machine that will see all connections from/to Internet, and obviously this VM will be your Firewall/Router. This practice give me excellent results, moreover, I have it in "HA" and "live migration" works perfectly (with DRBD as storage replicated). In my case as Firewall/Router, I use Centos 6.3 x64 with iptables (I was born with the iptables manual on hand, but you can have the SO and Firewall/Router that you want)

Cesar
 
Last edited:
I thought about leaving off the IP but I already set it up with one and now can't remove it.

In any case I installed UFW with this setup:

Code: 
ufw default deny incoming
ufw default allow outgoing
ufw allow from 10.10.1.1/24
ufw allow 8006/tcp
ufw logging off
ufw enable
ufw enable
systemctl enable ufw.service

So, if this is correct, all incoming should be blocked, incoming from anywhere on port 8006 should be open and incoming from the local sub-net should be open.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back