proxmox personal firewall on PVE host and port 80-443

E

elkondor

Renowned Member
Jan 20, 2010
43
0
71
Italy
www.opensupport.it
I have a problem to create iptables rule to forward port in some vm machine, situation:

route -> dmz on proxmox host -> iptable drop input (an open only port needed) and forward some port to vm machine.

i have no problem to forward any type of port, but 80 an 443 (used from proxmox) in the problem if i forward, the rule not work.

it possible change default port of proxmox gui? 80 an 443?
how work 80-443 promox redirect? is proxmox than block port 80?

to access on webgui i can ssh tunneling on the PVE host

my firewall sample: (some rule are cut)

#!/bin/sh
#
#
#ssh -L 12345:remotesite.com:80 utente@serversshremoto.com
#ssh -L 443:10.2.2.100:443 10.2.2.100 accesso per webgui

#IP eth0/vmbr0 reale
IP_REALE=192.168.1.200 <- real machine

IP_VMSMARTINO=192.168.1.201
IP_VMLAMP=10.2.2.202



echo "Start Firewall locale..."

# TUNING KERNEL
# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 8192 > /proc/sys/net/nf_conntrack_max #16384

# PULIZIA TABELLE
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

# POLICY TABELLE
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


# NAT macchine virtuali su vmbr1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE

# regole reale
iptables -A INPUT -p all -m state --state established,related -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
#iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 5022 -j ACCEPT
iptables -A INPUT -p tcp --dport 83 -j ACCEPT #redirect ssh amministrazione
iptables -A INPUT -p tcp --dport 5900 -j ACCEPT #redirect locale ssh amministrazione


#input servizi
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT #redirect locale ssh amministrazione e webserver
iptables -A INPUT -p tcp --dport 11022 -j ACCEPT
iptables -A INPUT -p tcp --dport 12022 -j ACCEPT
iptables -A INPUT -p tcp --dport 21022 -j ACCEPT
iptables -A INPUT -p tcp --dport 22022 -j ACCEPT
iptables -A INPUT -p tcp --dport 23022 -j ACCEPT
iptables -A INPUT -p udp --dport 23194 -j ACCEPT
iptables -A INPUT -p tcp --dport 23194 -j ACCEPT

## SMARTINO

#201
# Forward zimbra
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 11022 -j DNAT --to-destination $IP_VMSMARTINO:22
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 81 -j DNAT --to-destination $IP_VMSMARTINO:80
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 7071 -j DNAT --to-destination $IP_VMSMARTINO:7071
# Ovpn smartino-agricoop sedi
iptables -t nat -A PREROUTING --dst $IP_REALE -p udp --dport 11194 -j DNAT --to-destination $IP_VMSMARTINO:1194


## ASSO


#202
# Forward vmlamp virtualhost
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 8080 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 80 -j DNAT --to-destination $IP_VMLAMP:80
-> not work #iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 443 -j DNAT --to-destination $IP_VMLAMP:443
iptables -t nat -A PREROUTING --dst $IP_REALE -p tcp --dport 22022 -j DNAT --to-destination $IP_VMLAMP:22

help please :(
 
elkondor said:
it possible change default port of proxmox gui? 80 an 443?
how work 80-443 promox redirect? is proxmox than block port 80?
Click to expand...

The apache config is in

/etc/apache2/sites-enabled/pve.conf
/etc/apache2/ports.conf

port 80 is not really needed, so you can change that.

I never tested changing port 443 - I am not sure that you can do that.
 
You must log in or register to reply here.
Top Bottom