activation firewall guest VM (no internet)

podarok87 · Jul 5, 2016

Hi

Code:

root@pve:~# pve-firewall status

Status: enabled/running

enable firewall VM (Hardware -> Network Device -> checkbox firewall )
Internet disappears in a VM.
even ping does not pass

network Settings

Code:

auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address  111.222.333.444
        netmask  255.255.255.192
        gateway  111.222.333.44
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr2
iface vmbr2 inet static
    address 10.1.1.1
    netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '10.1.1.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.1.1.0/24' -o vmbr0 -j MASQUERADE

firewall VM

Code:

root@pve:~# cat /etc/pve/firewall/102.fw
[OPTIONS]

log_level_in: info
enable: 1
radv: 0
log_level_out: info
ipfilter: 0
dhcp: 0
policy_in: ACCEPT

[RULES]

OUT Ping(ACCEPT)
IN Ping(ACCEPT)

Tell me what could be the problem ?
Best regards

LnxBil · Jul 5, 2016

At first glance it looks correct. What is your policy for INPUT/OUTPUT for your datacenter? Same tab as firewall-enabled. Besides, you accepted ping, so at least ping should work.

If such strange problems occurred to me, I inspected the iptables rules itself to find clues. Normally you have rules for each VM, so that it is easier to find the corresponding rule sets.

podarok87 · Jul 6, 2016

INPUT/OUTPUT datacenter

Code:

root@pve:/var/lib/vz/dump# cat /etc/pve/firewall/cluster.fw
[OPTIONS]

enable: 1
policy_in: DROP

[RULES]

OUT Ping(ACCEPT)
IN Ping(ACCEPT)
IN ACCEPT -i vmbr0 -source 222.222.222.222 -p tcp -dport 8006
IN ACCEPT -i vmbr0 -source all_inet -p tcp -dport 8006
IN SSH(ACCEPT) -i vmbr0 -source all_inet

IPTABLES

Code:

Chain tap102i0-IN (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
37406 4589K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:GLMbN5fvodfgdfgdfd4R6bX9zs */

Chain tap102i0-OUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MAC ! 32:63:62:34:38:37
6082  447K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x7fffffff
   33  1980 PVEFW-SET-ACCEPT-MARK  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  icmptype 8
6049  445K PVEFW-SET-ACCEPT-MARK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:+i0PJFAfgdfgddfbsDK/R6Yn4qZ4 */

LnxBil · Jul 6, 2016

Looks also OK for ICMP. You use masquerading, so is this VM in your masquerading subnet? Maybe you have to create an explicit rule in FORWARD by yourself to enable the traffic there.

I had a similar problem with masquerading this week, so this could be thing that is strange indeed. Next thing would be to look directly at the traffic with

Code:

tcpdump -ni tap102i0

After that look at the bridge device of which tap102i0 is part of.

Search

Search

activation firewall guest VM (no internet)

podarok87

Active Member

LnxBil

Distinguished Member

podarok87

Active Member

LnxBil

Distinguished Member