Hi to all Proxmox fans!
I want to migrate my iptables-persistent firewall to the new Proxmox firewall and I have several
problems.
I have 5 public IPs on the host with one NIC.
All with /32 network.
The Public_IP_1 is Proxmox host itself.
I have 5 VMs. One is nated behind Public_IP_1.
Nated_IP is 10.10.10.1.
Here are the nated rules:
*nat
REROUTING ACCEPT [1243:60803]
OSTROUTING ACCEPT [705:46567]
:OUTPUT ACCEPT [668:44567]
-A PREROUTING -d Public_IP_1 -p tcp -m tcp --dport 2121 -j DNAT --to-destination 10.10.10.1:22
-A PREROUTING -d Public_IP_1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.1:80
-A PREROUTING -d Public_IP_1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.10.1:443
-A PREROUTING -d Public_IP_1 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 10.10.10.1:443
-A POSTROUTING -s 10.10.10.0/24 -o vmbr0 -j SNAT --to-source Public_IP_1
COMMIT
I can not see how to manage that with the Proxmox firewall.
Second problem is related to bridge firewalling.
To use iptables for that I enabled net.bridge.bridge-nf-call-iptables = 1.
For that I need the FORWARD table.
Here is an example:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]
-A FORWARD -p tcp -m physdev --physdev-in tap+ ! --syn -m state --state NEW -j DROP
-A FORWARD -p tcp -m physdev --physdev-in tap+ -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p udp -m physdev --physdev-in tap+ -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m physdev --physdev-in tap+ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -m physdev --physdev-in eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p udp -m physdev --physdev-in eth0 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m physdev --physdev-in eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp --icmp-type 0 -j ACCEPT
-A FORWARD -p icmp --icmp-type 8 -j ACCEPT
-A FORWARD -p tcp -d Public_IP_2 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d Public_IP_2 --dport 443 -j ACCEPT
and so on.
In the Proxmox Firewall there is no FORWARD table.
Is this possible somehow?
Best regards
I want to migrate my iptables-persistent firewall to the new Proxmox firewall and I have several
problems.
I have 5 public IPs on the host with one NIC.
All with /32 network.
The Public_IP_1 is Proxmox host itself.
I have 5 VMs. One is nated behind Public_IP_1.
Nated_IP is 10.10.10.1.
Here are the nated rules:
*nat
REROUTING ACCEPT [1243:60803]OSTROUTING ACCEPT [705:46567]:OUTPUT ACCEPT [668:44567]
-A PREROUTING -d Public_IP_1 -p tcp -m tcp --dport 2121 -j DNAT --to-destination 10.10.10.1:22
-A PREROUTING -d Public_IP_1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.1:80
-A PREROUTING -d Public_IP_1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.10.10.1:443
-A PREROUTING -d Public_IP_1 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 10.10.10.1:443
-A POSTROUTING -s 10.10.10.0/24 -o vmbr0 -j SNAT --to-source Public_IP_1
COMMIT
I can not see how to manage that with the Proxmox firewall.
Second problem is related to bridge firewalling.
To use iptables for that I enabled net.bridge.bridge-nf-call-iptables = 1.
For that I need the FORWARD table.
Here is an example:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]
-A FORWARD -p tcp -m physdev --physdev-in tap+ ! --syn -m state --state NEW -j DROP
-A FORWARD -p tcp -m physdev --physdev-in tap+ -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p udp -m physdev --physdev-in tap+ -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m physdev --physdev-in tap+ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -m physdev --physdev-in eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p udp -m physdev --physdev-in eth0 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m physdev --physdev-in eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp --icmp-type 0 -j ACCEPT
-A FORWARD -p icmp --icmp-type 8 -j ACCEPT
-A FORWARD -p tcp -d Public_IP_2 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d Public_IP_2 --dport 443 -j ACCEPT
and so on.
In the Proxmox Firewall there is no FORWARD table.
Is this possible somehow?
Best regards