Audit/check my iptables rules?

hwcltjn

Member
Mar 27, 2020
1
0
6
Hello!

I was hoping someone could check my iptables rules and advise on how good/bad they are?
Possibly offer some advice on improving them?

They seem to be working well so far.

My Promox host has 1 public IP address and a handful of VMs
(I'm already using alternative ports, f2b, etc...)

Code:
# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --policy FORWARD ACCEPT

# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Allow LAN to talk to WAN
/sbin/iptables -A FORWARD -i vmbr1 -o vmbr0 -j ACCEPT

# Keep current connections alive
/sbin/iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow ping on host
/sbin/iptables -A INPUT -i vmbr0 -p icmp --icmp-type 8 -j ACCEPT
# Allow GUI access
/sbin/iptables -A INPUT -i vmbr0 -p tcp --dport 8006 -j ACCEPT
# Allow SSH
/sbin/iptables -A INPUT -i vmbr0 -p tcp --dport 22 -j ACCEPT

# Forward traffic to VM subnet
/sbin/iptables -t nat -A POSTROUTING -s '192.168.50.253/24' -o vmbr0 -j MASQUERADE

# Port forward rules for specific VMs
/sbin/iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 35221 -j DNAT --to 192.168.50.1:22
/sbin/iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.50.2:80
/sbin/iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.50.3:443

For full context, below is my /etc/network/interfaces :

Code:
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
    address <Public IP>/24
    gateway <Gateway>
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0

auto vmbr1
iface vmbr1 inet static
    address 192.168.50.254/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward

Thanks!
 

LnxBil

Famous Member
Feb 21, 2015
6,466
818
163
Saarland, Germany
Have you configured everything by yourself? Why don't you use the PVE firewall?

If you have only one public IP, you can just remove your eno1 from the bridge and run in standalone mode, so you can get rid of your vmbr1.
To secure it even further, use GeoIP and/or knockd.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!