block an outgoing port on a vm

[tincboy]

I need to block an outgoing port of xxxx from one of my VMs (KVM one),
Any experience on this job?

 

[buttercup]

just set a rule in iptables would be my suggestion

 

[tincboy]

In proxmox 1.9, I simply add a drop rule in forward table and it was fine, But in Proxmox 2 no success with this trend.

 

[tincboy]

Any suggestion on why iptables rules are to working on VMs any more?

 

[dietmar]

Not sure, but maybe related to new settings in /etc/sysctl.d/pve.conf

 

[tincboy]

Not sure, but maybe related to new settings in /etc/sysctl.d/pve.conf

I guess you are right, look at the link below:
http://www.linuxplayer.org/2011/04/rhel6-disabled-iptables-on-bridge-interface-by-default
Right now I have no free server to test this settings but I will test in 1 or 2 days.

 

[tincboy]

I've test it on many servers and it seems the issue will be gone if you enable these options in /etc/sysctl.d/pve.conf

net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1

and then restart the service below:

sysctl -p
/etc/init.d/procps restart