Best practice for preventing access to proxmox management

[rickendude]

Hello.
I am new to proxmox, not new to Linux though.

I have a test proxmox server with 2 interfaces, one sits at the DMZ where some VMs will run exposed to the internet, another sits in the LAN.
I wish to:
1. block any traffic from the DMZ completely (that is - hosts will be exposed, but I don't want the proxmox management (ssh/web) to be exposed in the DMZ at all.
2. block any management traffic from the LAN except for a specific host.

I can do this manually of course or even hack a shell script to add iptables rules (I understand that there are some anti-lockout rules in place, so I guess I need to override them somehow?), but I wish to do it the "proper way" via the proxmox firewall interface.
Any guidance would be highly appreciated. Thanks!

 

[ggoller]

"block any traffic from" and "hosts will be exposed" is kinda contradicting
1) should be quite simple, just enable the datacenter firewall (set default input policy to accept) and reject all the traffic on ssh and tcp with port 8006.
2) this is a bit tricky because we always allow access to the gui in the local network. You would have to only add a specific id to the ipset. Are you using iptables or the new nftables firewall? Nevermind, you only have to create a ipset named "management" and then add the ips you wanna block or allow. I.e. in your case, you can create a "management" ipset, add your range e.g. 10.10.10.0/24 and tick the "nomatch" checkbox, then add the ip you want to allow without the "nomatch" check. Also enable the firewall after creating the ipset, otherwise you're gonna lock yourself out

 

[aaron]

A lesser know option is to configure the pveproxy service with ACLs or defining on which interface it listens to (default all):
https://pve.proxmox.com/pve-docs/pveproxy.8.html#pveproxy_host_acls
https://pve.proxmox.com/pve-docs/pveproxy.8.html#pveproxy_listening_address

 

[rickendude]

Thanks folks!
@ggoller - I meant block traffic to proxmox host from DMZ but allow bound VMs to use it
rejecting specific ports is not what I normally do, I'd rather close all ports and open the very few I wish to open, I actually tried doing that but it messed up things that I had to flush iptables. I'll try what you recommended.

@aaron Thank you I'll check it out

 

[rickendude]

I ended up binding ssh to the management interface and configured pveproxy to listen only on the management interface as well (and allow only a single ip in). I also disabled rpcbind services. Thanks for the tips.
TBH it would still be nice to easily be able to block all ports and only open what I need but for now this is enough.