Add IP (from blacklist file) to Proxmox firewall ipset without the GUI

chris_lee

Active Member
Dec 18, 2012
38
2
28
First of all I want to thank the Proxmox guys for this new and really important firewall feature. The interface is straight forward and does exactly what you expect. Especially the cluster-wide settings will save a lot of time. Good job!

I have a bunch of firewall scripts around fail2ban on VM´s and dedicated servers that I would like to integrate in the cluster wide firewall. Mainly I want to download a whole set of ip addresses from my honeypot (or other servers that reported attacks) and add it to a blacklist ipset to protect every VM within the Proxmox cluster. I found out that the manual management if ipset does not work:

Code:
ipset add PVEFW-0-blacklist 1.2.3.4.5

will add the IP to my blacklist, but it will disappear within some seconds.

Is there a possibility of using the API or a specific command to permanently add a delinquent to a cluster wide ipset (and that shows up in the GUI)?
Then I would be able to do my scripting and feed the cluster firewall with individual ip lists.

Thanks in advance

Chris
 
Thank you Dietmar for the hint.
The console access to the API works flawless. So I can add an IP address with:

Code:
pvesh create /cluster/firewall/ipset/blacklist -cidr 1.2.3.4

I was wondering if someone has an example script how to connect to the API via curl. I took a look at the documentation but could not manage to connect to the API
This would be nice for the integration of external hosts without having console access to Proxmox. (I therefore would create a user that is only allowed to add ip addresses to the ipset)

Thanks in advance

Chris
 
I was wondering if someone has an example script how to connect to the API via curl.

Do you really want to use curl? Just wonder, because it is so much simpler to write such things using perl.
 
I am not familiar with curl, therefore I am not married to it. PHP would be fine for me as well.
For administrative jobs on the proxmox machines, I´ll stick to perl or shell scripts. For the external machines (that reside in different data centers) I would prefer not having to log into the Proxmox boxes via ssh.

Right now I run a separate server with a database where all servers report abuse or attacks to. From this database all my servers download the ip list. Using Proxmox ipset with a cluster wide ipset would make this server and the additional download process obsolete as the VM`s could report to the cluster directly.

Chris
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!