proxmox personal firewall on PVE host and port 80-443

elkondor

Renowned Member
Jan 20, 2010
43
0
71
Italy
www.opensupport.it
I have a problem to create iptables rule to forward port in some vm machine, situation:

route -> dmz on proxmox host -> iptable drop input (an open only port needed) and forward some port to vm machine.

i have no problem to forward any type of port, but 80 an 443 (used from proxmox) in the problem if i forward, the rule not work.

it possible change default port of proxmox gui? 80 an 443?
how work 80-443 promox redirect? is proxmox than block port 80?

to access on webgui i can ssh tunneling on the PVE host

my firewall sample: (some rule are cut)

#!/bin/sh
#
#
#ssh -L 12345:remotesite.com:80 utente@serversshremoto.com
#ssh -L 443:10.2.2.100:443 10.2.2.100 accesso per webgui

#IP eth0/vmbr0 reale
IP_REALE=192.168.1.200 <- real machine

IP_VMSMARTINO=192.168.1.201
IP_VMLAMP=10.2.2.202



echo "Start Firewall locale..."

# TUNING KERNEL
# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 8192 > /proc/sys/net/nf_conntrack_max #16384

# PULIZIA TABELLE
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

# POLICY TABELLE
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


# NAT macchine virtuali su vmbr1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE

# regole reale
iptables -A INPUT -p all -m state --state established,related -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 5022 -j ACCEPT
iptables -A INPUT -p tcp --dport 83 -j ACCEPT #redirect ssh amministrazione
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT #redirect locale ssh amministrazione


#input servizi
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #redirect locale ssh amministrazione e webserver
iptables -A INPUT -p tcp --dport 11022 -j ACCEPT
iptables -A INPUT -p tcp --dport 12022 -j ACCEPT
iptables -A INPUT -p tcp --dport 21022 -j ACCEPT
iptables -A INPUT -p tcp --dport 22022 -j ACCEPT
iptables -A INPUT -p tcp --dport 23022 -j ACCEPT
iptables -A INPUT -p udp --dport 23194 -j ACCEPT
iptables -A INPUT -p tcp --dport 23194 -j ACCEPT

## SMARTINO

#201
# Forward zimbra
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 11022 -j DNAT --to-destination $IP_VMSMARTINO:22
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 81 -j DNAT --to-destination $IP_VMSMARTINO:80
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 7071 -j DNAT --to-destination $IP_VMSMARTINO:7071
# Ovpn smartino-agricoop sedi
iptables -t nat -A PREROUTING --dst $IP_REALE -p udp --dport 11194 -j DNAT --to-destination $IP_VMSMARTINO:1194


## ASSO


#202
# Forward vmlamp virtualhost
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 8080 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 80 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 443 -j DNAT --to-destination $IP_VMLAMP:443
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 22022 -j DNAT --to-destination $IP_VMLAMP:22

help please :(
 
it possible change default port of proxmox gui? 80 an 443?
how work 80-443 promox redirect? is proxmox than block port 80?

The apache config is in

/etc/apache2/sites-enabled/pve.conf
/etc/apache2/ports.conf

port 80 is not really needed, so you can change that.

I never tested changing port 443 - I am not sure that you can do that.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!