Hello!
I'm using NAT network configuration for my VMs (Proxmox 5.1), and
allows me to use both NAT and PVE firewall for controlling incoming connections on all 3 levels (cluster, node, VM).
However, when I add PVE firewall rule on a cluster or node level for "OUT" - f.e., “block all outgoing connections to a specific IP”, firewall rule does not take effect.
Blocking outgoing traffic firewall rules by ip are respected only on VM level, defined in pve.
Any ideas how to get working PVE firewall rules working on cluster and node level for NAT-VMs for incoming connections?
Thanks in advance for any help!
I'm using NAT network configuration for my VMs (Proxmox 5.1), and
Code:
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
allows me to use both NAT and PVE firewall for controlling incoming connections on all 3 levels (cluster, node, VM).
However, when I add PVE firewall rule on a cluster or node level for "OUT" - f.e., “block all outgoing connections to a specific IP”, firewall rule does not take effect.
Blocking outgoing traffic firewall rules by ip are respected only on VM level, defined in pve.
Any ideas how to get working PVE firewall rules working on cluster and node level for NAT-VMs for incoming connections?
Code:
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet static
address 192.168.50.1
netmask 255.255.255.0
gateway 192.168.50.1
auto vmbr0
iface vmbr0 inet static
address 10.40.40.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
# 1. Enable forwarding
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
# 2a. Allow VMs to reach outside world using NAT addresses
post-up iptables -t nat -A POSTROUTING -s '10.40.40.1/24' -o eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.40.40.1/24' -o eth0 -j MASQUERADE
# 2b. Allow NAT working with the built-in firewall
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
Thanks in advance for any help!
Last edited: