Firewall not filtering traffic

R

RichBayliss

New Member
Oct 30, 2014
4
0
1
Hi.

I have recently rebuilt my home LAB Proxmox VE machine and installed PVE 3.3 for the new Firewall and HTML5 features.

I seem to have an issue whereby the Firewall is enabled globally (checkbox on Datacenter is enabled, with Input set to ALLOW) and enabled on the VM (checkbox enabled, Input set to DROP) but my packets are getting into the VM (ICMP pings in this case).

I have checked the "net0" interface on the VM and Firewall is checked there too, so I am a bit stumped. On the host CLI after running "pve-firewall status" I get "enabled/running".

Any help here would be great, as this will save me using a hardware firewall between my PVE and internet connection.
 
VMID = 101

iptables-save:
# Generated by iptables-save v1.4.14 on Thu Oct 30 15:05:56 2014
*mangle
:pREROUTING ACCEPT [7167069:35136443600]
:INPUT ACCEPT [7148706:35134171748]
:FORWARD ACCEPT [15717:1033802]
:OUTPUT ACCEPT [2793649:6434478996]
:pOSTROUTING ACCEPT [2808738:6435464459]
COMMIT
# Completed on Thu Oct 30 15:05:56 2014
# Generated by iptables-save v1.4.14 on Thu Oct 30 15:05:56 2014
*filter
:INPUT ACCEPT [1024:63417]
:FORWARD ACCEPT [614:48634]
:OUTPUT ACCEPT [790:47400]
:pVEFW-Drop - [0:0]
:pVEFW-DropBroadcast - [0:0]
:pVEFW-FORWARD - [0:0]
:pVEFW-FWBR-IN - [0:0]
:pVEFW-FWBR-OUT - [0:0]
:pVEFW-HOST-IN - [0:0]
:pVEFW-HOST-OUT - [0:0]
:pVEFW-INPUT - [0:0]
:pVEFW-OUTPUT - [0:0]
:pVEFW-Reject - [0:0]
:pVEFW-SET-ACCEPT-MARK - [0:0]
:pVEFW-VENET-IN - [0:0]
:pVEFW-VENET-OUT - [0:0]
:pVEFW-logflags - [0:0]
:pVEFW-reject - [0:0]
:pVEFW-smurflog - [0:0]
:pVEFW-smurfs - [0:0]
:pVEFW-tcpflags - [0:0]
:tap100i0-IN - [0:0]
:tap100i0-OUT - [0:0]
:tap101i0-IN - [0:0]
:tap101i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-FORWARD -m comment --comment "PVESIG:EqTnWXObv/2sm0UCQAKlplAl6+Y"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap101i0 --physdev-is-bridged -j tap101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:weh85O9qyXcUS2/morEQbBNbQqg"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap101i0 --physdev-is-bridged -j tap101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:RAyEcP8TWxWVfI/J81KZdsycXZE"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.1.0/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:9djsMOqJyyEzOWRZ41xKCCo1WNk"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:GKv9EDdtG7uLY6VVl1dP58n9TM0"
-A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:BzyYmT9DMHVl0mK5gEk9RnLGABY"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-OUTPUT -m comment --comment "PVESIG:XDfaZCom19bXI72jfvIdmv5V9DM"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x1/0xffffffff
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:+w0L1XZmxcTeIy7fBeEAzPUQMiY"
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-VENET-IN -m comment --comment "PVESIG:TVxJ2yaUbjuO4uGIEwWIkLrzqXo"
-A PVEFW-VENET-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:ewllejV/lK5Rjmt/E3xIODQgfYg"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:k8rhuGB1IUidugKwAufSGGgKAZ4"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap100i0-IN -j ACCEPT
-A tap100i0-IN -m comment --comment "PVESIG:NojMqRwli9IqGAXKxiVqfR5LMCU"
-A tap100i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source 9A:DC:12:22:2A:D9 -j DROP
-A tap100i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m comment --comment "PVESIG:CmlO/faYss+HNm32uNW6Xlj+BnA"
-A tap101i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap101i0-IN -j PVEFW-Reject
-A tap101i0-IN -j NFLOG --nflog-prefix ":101:6:tap101i0-IN: policy REJECT: "
-A tap101i0-IN -g PVEFW-reject
-A tap101i0-IN -m comment --comment "PVESIG:S5Y2WbSzAh1soFC8pnWScswbEwU"
-A tap101i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -m mac ! --mac-source 42:07:9A:D4:61:89 -j DROP
-A tap101i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -m comment --comment "PVESIG:pQPiHbbPfKgNXhrg5aHvHWI8d5g"
COMMIT
# Completed on Thu Oct 30 15:05:56 2014

brctl show:
bridge name bridge id STP enabled interfaces
fwbr101i0 8000.aeca72e0b8f8 no fwln101i0
tap101i0
vmbr0 8000.f46d044eb348 no eth0
fwpr101p0
 
VMID = 101

#iptables-save
# Generated by iptables-save v1.4.14 on Thu Oct 30 15:05:56 2014
*mangle
:pREROUTING ACCEPT [7167069:35136443600]
:INPUT ACCEPT [7148706:35134171748]
:FORWARD ACCEPT [15717:1033802]
:OUTPUT ACCEPT [2793649:6434478996]
:pOSTROUTING ACCEPT [2808738:6435464459]
COMMIT
# Completed on Thu Oct 30 15:05:56 2014
# Generated by iptables-save v1.4.14 on Thu Oct 30 15:05:56 2014
*filter
:INPUT ACCEPT [1024:63417]
:FORWARD ACCEPT [614:48634]
:OUTPUT ACCEPT [790:47400]
:pVEFW-Drop - [0:0]
:pVEFW-DropBroadcast - [0:0]
:pVEFW-FORWARD - [0:0]
:pVEFW-FWBR-IN - [0:0]
:pVEFW-FWBR-OUT - [0:0]
:pVEFW-HOST-IN - [0:0]
:pVEFW-HOST-OUT - [0:0]
:pVEFW-INPUT - [0:0]
:pVEFW-OUTPUT - [0:0]
:pVEFW-Reject - [0:0]
:pVEFW-SET-ACCEPT-MARK - [0:0]
:pVEFW-VENET-IN - [0:0]
:pVEFW-VENET-OUT - [0:0]
:pVEFW-logflags - [0:0]
:pVEFW-reject - [0:0]
:pVEFW-smurflog - [0:0]
:pVEFW-smurfs - [0:0]
:pVEFW-tcpflags - [0:0]
:tap100i0-IN - [0:0]
:tap100i0-OUT - [0:0]
:tap101i0-IN - [0:0]
:tap101i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-FORWARD -m comment --comment "PVESIG:EqTnWXObv/2sm0UCQAKlplAl6+Y"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap101i0 --physdev-is-bridged -j tap101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:weh85O9qyXcUS2/morEQbBNbQqg"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap101i0 --physdev-is-bridged -j tap101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:RAyEcP8TWxWVfI/J81KZdsycXZE"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 192.168.1.0/24 -d 192.168.1.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.1.0/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:9djsMOqJyyEzOWRZ41xKCCo1WNk"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:GKv9EDdtG7uLY6VVl1dP58n9TM0"
-A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:BzyYmT9DMHVl0mK5gEk9RnLGABY"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-OUTPUT -m comment --comment "PVESIG:XDfaZCom19bXI72jfvIdmv5V9DM"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x1/0xffffffff
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:+w0L1XZmxcTeIy7fBeEAzPUQMiY"
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-VENET-IN -m comment --comment "PVESIG:TVxJ2yaUbjuO4uGIEwWIkLrzqXo"
-A PVEFW-VENET-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:ewllejV/lK5Rjmt/E3xIODQgfYg"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:k8rhuGB1IUidugKwAufSGGgKAZ4"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap100i0-IN -j ACCEPT
-A tap100i0-IN -m comment --comment "PVESIG:NojMqRwli9IqGAXKxiVqfR5LMCU"
-A tap100i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source 9A:DC:12:22:2A:D9 -j DROP
-A tap100i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m comment --comment "PVESIG:CmlO/faYss+HNm32uNW6Xlj+BnA"
-A tap101i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap101i0-IN -j PVEFW-Reject
-A tap101i0-IN -j NFLOG --nflog-prefix ":101:6:tap101i0-IN: policy REJECT: "
-A tap101i0-IN -g PVEFW-reject
-A tap101i0-IN -m comment --comment "PVESIG:S5Y2WbSzAh1soFC8pnWScswbEwU"
-A tap101i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -m mac ! --mac-source 42:07:9A:D4:61:89 -j DROP
-A tap101i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap101i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap101i0-OUT -m comment --comment "PVESIG:pQPiHbbPfKgNXhrg5aHvHWI8d5g"
COMMIT
# Completed on Thu Oct 30 15:05:56 2014



#brctl show
bridge name bridge id STP enabled interfaces
fwbr101i0 8000.aeca72e0b8f8 no fwln101i0
tap101i0
vmbr0 8000.f46d044eb348 no eth0
fwpr101p0
 
kotakomputer said:
Also, you need to:
- STOP Ping, apply your firewall rules, wait for 30 s then Ping again

This feature called as "Connection Tracking".
Click to expand...

This might have been the issue. I now seem to be able to filter the packets as expected, I am obviously not used to the way iptables handles changes. If I could make a suggestion to add a "Reload rules" button of sorts, to clearly identify that a reload of the settings and a wipe of the connection tracking occurs, that would make things a lot clearer.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back