I used to block private range 10.0.0.0 from the firewall and allowed the gateway and it worked but now after upgrading and enabling nftables I can ping VMs but they will not connect using any other port (SSH, HTTPS). Once I disable outbound rule blocking 10.0.0.0 I can connect to all the VMs in Proxmox.
Blocking LAN access for VMs does not work accept ping using nftables.
- Thread starter encryptedserver
- Start date
I could not get the new firewall to work, disabled it for now. Looks like IPv4 is somewhat working and IPv6 rules are not working at all for VMs.
Last edited:
Looks like I need
in my VM config.
ct state established,related acceptin my VM config.
Code:
chain guest-100-in {
jump allow-dhcp-in
jump allow-ndp-in
ether type arp accept
jump group-block-lan-in
jump after-vm-in
accept
}
It should be contained in the
Can you give me some more information?
What connection are you exactly testing? From where to where and which IPs/ports?
jump after-vm-in statement.Can you give me some more information?
Code:
cat /etc/pve/firewall/100.fw
nft 'list chain guest-100-in'
nft 'list chain guest-100-out'
nft 'list chain group-block-lan-in'
nft 'list chain group-block-lan-out'What connection are you exactly testing? From where to where and which IPs/ports?
Last edited:
Same rules worked fine with iptables. Now I cannot connect to any of the VMs using SSH. Pinging fd88::7 should be blocked from VMs but is allowing outbound connection while pinging 10.88.88.7 correctly blocks outgoing ping. I allowed IPv6 and IPv4 router gateway in the rules.
cat /etc/pve/firewall/100.fw
nft list ruleset
cat /etc/pve/firewall/100.fw
Code:
[OPTIONS]
policy_out: ACCEPT
log_level_out: nolog
enable: 1
radv: 1
macfilter: 0
policy_in: ACCEPT
ipfilter: 0
log_level_in: nolog
[RULES]
|GROUP vpn
GROUP block-lannft list ruleset
Code:
table bridge proxmox-firewall-guests {
map vm-map-in {
typeof oifname : verdict
elements = { "tap100i0" : goto guest-100-in }
}
map vm-map-out {
typeof iifname : verdict
elements = { "tap100i0" : goto guest-100-out }
}
chain allow-dhcp-in {
udp sport . udp dport { 547 . 546, 67 . 68 } accept
}
chain allow-dhcp-out {
udp sport . udp dport { 546 . 547, 68 . 67 } accept
}
chain block-dhcp-in {
udp sport . udp dport { 547 . 546, 67 . 68 } drop
}
chain block-dhcp-out {
udp sport . udp dport { 546 . 547, 68 . 67 } drop
}
chain allow-ndp-in {
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } accept
}
chain block-ndp-in {
icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
}
chain allow-ndp-out {
icmpv6 type { nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } accept
}
chain block-ndp-out {
icmpv6 type { nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } drop
}
chain allow-ra-out {
icmpv6 type { nd-router-advert, nd-redirect } accept
}
chain block-ra-out {
icmpv6 type { nd-router-advert, nd-redirect } drop
}
chain after-vm-in {
ct state established,related accept
ether type != arp ct state invalid drop
}
chain do-reject {
meta pkttype broadcast drop
ip saddr 224.0.0.0/4 drop
meta l4proto tcp reject with tcp reset
meta l4proto icmp reject with icmp port-unreachable
reject with icmp host-prohibited
}
chain vm-out {
type filter hook prerouting priority 0; policy accept;
iifname vmap @vm-map-out
}
chain vm-in {
type filter hook postrouting priority 0; policy accept;
oifname vmap @vm-map-in
}
chain group-block-lan-in {
}
chain group-block-lan-out {
ip6 daddr fd88::1 accept
ip daddr 10.88.88.1 accept
ip daddr 10.88.88.0/24 jump do-reject
ip6 daddr fc00::/7 jump do-reject
ip daddr 10.132.241.0/24 jump do-reject
}
chain group-vpn-in {
}
chain group-vpn-out {
ip daddr 10.88.88.1 accept
ip6 daddr fd88::1 accept
ip daddr 10.132.241.2 accept
ip6 daddr fc00::/7 jump do-reject
ip daddr 10.88.88.0/24 jump do-reject
ip daddr 10.132.241.0/24 jump do-reject
}
chain guest-100-in {
jump allow-dhcp-in
jump allow-ndp-in
ether type arp accept
jump group-block-lan-in
jump after-vm-in
accept
}
chain guest-100-out {
jump allow-dhcp-out
jump allow-ndp-out
jump allow-ra-out
jump group-block-lan-out
accept
}
}Any update on this, my rules are still not working! Pretty common rules
Allow fd88::1
Allow 10.88.88.1
Reject fd88::/64
Reject 10.88.88.0/24
It used to work in iptables but not in nftables. Pinging out from VM correctly blocks IPv4 ping but not IPv6 ping. Cannot connect to any VMs that has the firewall group assigned.
Hi, sorry for the late response I've been out of office for the last 2 weeks. I will be looking into this today!
I've been able to reproduce this issue locally and already sent a patch that fixes this issue [1]. As a workaround for now you can change the rule to DROP, which should work.
[1] https://lists.proxmox.com/pipermail/pve-devel/2024-May/063839.html
[1] https://lists.proxmox.com/pipermail/pve-devel/2024-May/063839.html
There is another problem, I cannot connect to VM via SSH after applying the above rules!
From my local LAN computer. Same rules
If I remove outgoing fd88::/64 and 10.88.88.0/24 I can connect to the VM.
Code:
chain group-deny-lan-access-in {
}
chain group-deny-lan-access-out {
ip6 daddr fd88::1 accept
ip daddr 10.88.88.1 accept
ip6 daddr fd88::/64 drop
ip daddr 10.88.88.0/24 drop
}
chain guest-100-in {
jump allow-dhcp-in
jump allow-ndp-in
ether type arp accept
jump group-deny-lan-access-in
jump after-vm-in
accept
}
chain guest-100-out {
jump allow-dhcp-out
jump allow-ndp-out
jump allow-ra-out
jump group-deny-lan-access-out
accept
}If I remove outgoing fd88::/64 and 10.88.88.0/24 I can connect to the VM.
fd88::/64, 10.88.88.0/24 is my home subnet, I allowed the gateway fd88::1, 10.88.88.1 and blocked the rest. It used to work with iptables.
If I connect to a VM (fd88::a97, 10.88.88.11) then no connection is possible.
should be addressed by the following patch: https://lists.proxmox.com/pipermail/pve-devel/2024-May/063868.html
I will test it once the update comes out.
Also, I filed a bug report for DHCPv6 setup for proxmox since something is recreating DUID on every boot.
https://forum.proxmox.com/threads/l...rating-new-ipv6-duid-for-every-reboot.129429/
Bug report https://bugzilla.proxmox.com/show_bug.cgi?id=5466
I can confirm both IPv6 and IPv4 rules are working and I can also connect to VM now.
Great job.
Great job.