proxmox 2 iptables on the host is not filtering guest anymore?

RRJ

Member
Apr 14, 2010
245
0
16
Estonia, Tallinn
Hey,

In 1.x i had an iptables rules on the host machine to filter incoming and outgoing connections to my containers and kvm guests via the FORWARD table. But after 2.x upgrade this scheme is not working anymore. even if i just write i add default action to DROP in the FORWARD table, it still allows the connections.

How can i filter all the connections from the host now? do i really have to set up iptables on every single guest os?
 
Thank You dietmar,
You've made my day :).
Why do you guys decided to turn it off by default?
What were default settings for those settings in 1.9? Just to be sure, everything is working as expected to.
and is there a manual so i could read about all changes in 2.0 ? :)
 
Last edited:
FWIW:

In ProxmoxVE v1.9 there is no /etc/sysctl.d/pve.conf file

There is only a /etc/sysctl.d/vzctl.conf file that has the following:

Code:
# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled

net.ipv4.ip_forward = 1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
#net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
 
Could you tell me more about this risk? why and what kind of the risk?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!