Blocking LAN access for VMs does not work accept ping using nftables.

Jul 10, 2021
90
14
13
45
www.saudiqbal.com
I used to block private range 10.0.0.0 from the firewall and allowed the gateway and it worked but now after upgrading and enabling nftables I can ping VMs but they will not connect using any other port (SSH, HTTPS). Once I disable outbound rule blocking 10.0.0.0 I can connect to all the VMs in Proxmox.
 
Looks like I need
ct state established,related accept
in my VM config.

Code:
        chain guest-100-in {
                jump allow-dhcp-in
                jump allow-ndp-in
                ether type arp accept
                jump group-block-lan-in
                jump after-vm-in
                accept
        }
 
It should be contained in the jump after-vm-in statement.

Can you give me some more information?

Code:
cat /etc/pve/firewall/100.fw
nft 'list chain guest-100-in'
nft 'list chain guest-100-out'
nft 'list chain group-block-lan-in'
nft 'list chain group-block-lan-out'

What connection are you exactly testing? From where to where and which IPs/ports?
 
Last edited:
Same rules worked fine with iptables. Now I cannot connect to any of the VMs using SSH. Pinging fd88::7 should be blocked from VMs but is allowing outbound connection while pinging 10.88.88.7 correctly blocks outgoing ping. I allowed IPv6 and IPv4 router gateway in the rules.

cat /etc/pve/firewall/100.fw
Code:
[OPTIONS]

policy_out: ACCEPT
log_level_out: nolog
enable: 1
radv: 1
macfilter: 0
policy_in: ACCEPT
ipfilter: 0
log_level_in: nolog

[RULES]

|GROUP vpn
GROUP block-lan

nft list ruleset

Code:
table bridge proxmox-firewall-guests {
        map vm-map-in {
                typeof oifname : verdict
                elements = { "tap100i0" : goto guest-100-in }
        }

        map vm-map-out {
                typeof iifname : verdict
                elements = { "tap100i0" : goto guest-100-out }
        }

        chain allow-dhcp-in {
                udp sport . udp dport { 547 . 546, 67 . 68 } accept
        }

        chain allow-dhcp-out {
                udp sport . udp dport { 546 . 547, 68 . 67 } accept
        }

        chain block-dhcp-in {
                udp sport . udp dport { 547 . 546, 67 . 68 } drop
        }

        chain block-dhcp-out {
                udp sport . udp dport { 546 . 547, 68 . 67 } drop
        }

        chain allow-ndp-in {
                icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } accept
        }

        chain block-ndp-in {
                icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect } drop
        }

        chain allow-ndp-out {
                icmpv6 type { nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } accept
        }

        chain block-ndp-out {
                icmpv6 type { nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert } drop
        }

        chain allow-ra-out {
                icmpv6 type { nd-router-advert, nd-redirect } accept
        }

        chain block-ra-out {
                icmpv6 type { nd-router-advert, nd-redirect } drop
        }

        chain after-vm-in {
                ct state established,related accept
                ether type != arp ct state invalid drop
        }

        chain do-reject {
                meta pkttype broadcast drop
                ip saddr 224.0.0.0/4 drop
                meta l4proto tcp reject with tcp reset
                meta l4proto icmp reject with icmp port-unreachable
                reject with icmp host-prohibited
        }

        chain vm-out {
                type filter hook prerouting priority 0; policy accept;
                iifname vmap @vm-map-out
        }

        chain vm-in {
                type filter hook postrouting priority 0; policy accept;
                oifname vmap @vm-map-in
        }

        chain group-block-lan-in {
        }

        chain group-block-lan-out {
                ip6 daddr fd88::1 accept
                ip daddr 10.88.88.1 accept
                ip daddr 10.88.88.0/24 jump do-reject
                ip6 daddr fc00::/7 jump do-reject
                ip daddr 10.132.241.0/24 jump do-reject
        }

        chain group-vpn-in {
        }

        chain group-vpn-out {
                ip daddr 10.88.88.1 accept
                ip6 daddr fd88::1 accept
                ip daddr 10.132.241.2 accept
                ip6 daddr fc00::/7 jump do-reject
                ip daddr 10.88.88.0/24 jump do-reject
                ip daddr 10.132.241.0/24 jump do-reject
        }

        chain guest-100-in {
                jump allow-dhcp-in
                jump allow-ndp-in
                ether type arp accept
                jump group-block-lan-in
                jump after-vm-in
                accept
        }

        chain guest-100-out {
                jump allow-dhcp-out
                jump allow-ndp-out
                jump allow-ra-out
                jump group-block-lan-out
                accept
        }
}
 
It should be contained in the jump after-vm-in statement.

Can you give me some more information?

Code:
cat /etc/pve/firewall/100.fw
nft 'list chain guest-100-in'
nft 'list chain guest-100-out'
nft 'list chain group-block-lan-in'
nft 'list chain group-block-lan-out'

What connection are you exactly testing? From where to where and which IPs/ports?

Any update on this, my rules are still not working! Pretty common rules

Allow fd88::1
Allow 10.88.88.1
Reject fd88::/64
Reject 10.88.88.0/24

It used to work in iptables but not in nftables. Pinging out from VM correctly blocks IPv4 ping but not IPv6 ping. Cannot connect to any VMs that has the firewall group assigned.
 
Any update on this, my rules are still not working! Pretty common rules

Allow fd88::1
Allow 10.88.88.1
Reject fd88::/64
Reject 10.88.88.0/24

It used to work in iptables but not in nftables. Pinging out from VM correctly blocks IPv4 ping but not IPv6 ping. Cannot connect to any VMs that has the firewall group assigned.

Hi, sorry for the late response I've been out of office for the last 2 weeks. I will be looking into this today!
 
From my local LAN computer. Same rules

Code:
         chain group-deny-lan-access-in {
        }

        chain group-deny-lan-access-out {
                ip6 daddr fd88::1 accept
                ip daddr 10.88.88.1 accept
                ip6 daddr fd88::/64 drop
                ip daddr 10.88.88.0/24 drop
        }
        chain guest-100-in {                                                                                                                              
                jump allow-dhcp-in                                                                                                                        
                jump allow-ndp-in                                                                                                                         
                ether type arp accept                                                                                                                     
                jump group-deny-lan-access-in                                                                                                             
                jump after-vm-in                                                                                                                          
                accept                                                                                                                                    
        }                                                                                                                                                 
                                                                                                                                                          
        chain guest-100-out {                                                                                                                             
                jump allow-dhcp-out                                                                                                                       
                jump allow-ndp-out                                                                                                                        
                jump allow-ra-out                                                                                                                         
                jump group-deny-lan-access-out                                                                                                            
                accept                                                                                                                                    
        }

If I remove outgoing fd88::/64 and 10.88.88.0/24 I can connect to the VM.
 
Which has an IP in 10.88.88.0/24, but not 10.88.88.1 ?

That's most likely due to a missing conntrack rule in the outgoing chain and there should be a patch available on the mailinglist soon as well.
 
We've released a new version of the firewall (0.4.2) that should (hopefully) adress your issues.
 
  • Like
Reactions: _gabriel