Can not block ping?

O

ozgurerdogan

Renowned Member
May 2, 2010
621
6
83
Bursa, Turkey, Turkey
Why not blocking ping:

1.1.1.1 is ip in kvm guest and 2.2.2.2 is ip that I want to block ping from. But ping is always avaliable.

Code: 
[OPTIONS]

log_level_in: debug
enable: 1
policy_in: ACCEPT
log_level_out: debug

[RULES]

IN Ping(REJECT) -i net0 -source 1.1.1.1 -dest 2.2.2.2 
OUT Ping(REJECT) -i net0 -source 1.1.1.1 -dest 2.2.2.2 
IN Ping(REJECT) -i net0 -source 2.2.2.2 -dest 1.1.1.1 
OUT Ping(REJECT) -i net0 -source 2.2.2.2 -dest 1.1.1.1


Code: 
root@vztl3:~# pve-firewall status
Status: disabled/running
 
Last edited:
ozgurerdogan said:
After that I lost all connection to node. Is that because default in policy is reject?
Click to expand...


you can stop the firewall with /etc/init.d/pve-firewall stop


you can disable host firewall, in host->firewall->options , then enable datacenter->firewall-options.

datacenter rules are applied to all host firewalls of the cluster, but you can manage each rules on each host if you want.
 
Last edited:
Ok now, Datacenter level it is enabled. and default policy for in and out is ACCEPT
At node level it is disabled because I want to enable firewall for one kvm only.


On kvm level, I enabled at network options, and added these rules. But I can still ping kvm.

Code: 
[OPTIONS]

enable: 1
log_level_in: debug
policy_in: ACCEPT
log_level_out: debug

[RULES]

OUT Ping(DROP) -i net0 -source 1.1.1.1 -dest 2.2.2.2
OUT Ping(DROP) -i net0 -source 2.2.2.2 -dest 1.1.1.1
IN Ping(DROP) -i net0 -source 1.1.1.1 -dest 2.2.2.2
IN Ping(DROP) -i net0 -source 2.2.2.2 -dest 1.1.1.1
 
Yes I enabled for network interface. Lots of these string. But I do not see ip for the pc that I ping from. So strange...

Code: 
107 7 tap107i0-IN 10/Oct/2014:17:59:20 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=8.0.16.136 DST=1.1.1.1 LEN=79 TOS=0x00 PREC=0x00 TTL=48 ID=12193 PROTO=UDP SPT=42186 DPT=53 LEN=59
107 7 tap107i0-IN 10/Oct/2014:17:59:20 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=212.72.53.207 DST=1.1.1.1 LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=41420 PROTO=UDP SPT=26901 DPT=53 LEN=56
107 7 tap107i0-IN 10/Oct/2014:17:59:20 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=5.46.120.110 DST=1.1.1.1 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=41908 DF PROTO=TCP SPT=6007 DPT=80 SEQ=221237477 ACK=0 WINDOW=65535 SYN
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=74.125.183.145 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=35 ID=63248 PROTO=UDP SPT=36587 DPT=53 LEN=40
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=74.125.72.17 DST=1.1.1.1 LEN=82 TOS=0x00 PREC=0x00 TTL=33 ID=22780 PROTO=UDP SPT=62111 DPT=53 LEN=62
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.146 DST=1.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=33 ID=11827 PROTO=UDP SPT=49975 DPT=53 LEN=51
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=74.125.72.16 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=33 ID=33986 PROTO=UDP SPT=43946 DPT=53 LEN=40
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.80 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=33 ID=20628 PROTO=UDP SPT=52752 DPT=53 LEN=40
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.18 DST=1.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=33 ID=62856 PROTO=UDP SPT=62473 DPT=53 LEN=51
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.144 DST=1.1.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=33 ID=11336 PROTO=UDP SPT=39200 DPT=53 LEN=40
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=173.194.90.19 DST=1.1.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=33 ID=64845 PROTO=UDP SPT=37439 DPT=53 LEN=51
107 7 tap107i0-IN 10/Oct/2014:17:59:21 +0300 policy DROP: IN=fwbr107i0 OUT=fwbr107i0 PHYSIN=fwln107i0 PHYSOUT=tap107i0 MAC=6a:b1:c3:fa:c3:d2:00:00:cd:25:b9:a8:08:00 SRC=74.125.73.146 DST=1.1.1.1 LEN=73 TOS=0x00 PREC=0x00 TTL=42 ID=33189 PROTO=UDP SPT=38173 DPT=53 LEN=53
 
1. What do I enter in interface section. It seems to only accept net0

2. And also what should I choose at log level?

3. Is it ok to disable firewall at node level but enable at datacenter AND kvm level?

4. Do I need to restart anything to make changes ?
 
Last edited:
ozgurerdogan said:
1. What do I enter in interface section. It seems to only accept net0
Click to expand...

nothing

ozgurerdogan said:
2. And also what should I choose at log level?
Click to expand...

info

ozgurerdogan said:
3. Is it ok to disable firewall at node level but enable at datacenter AND kvm level?
Click to expand...

yes, should work.

ozgurerdogan said:
4. Do I need to restart anything to make changes ?
Click to expand...

no (only if you set firewall flag on network inferface, you need to restart the VM). But
rules are applied automatically.


For testing, I would start with a simple rule:

[RULES]
IN Ping(DROP)
 
Ok I restarted vm after firewall enabled at network interface. Btw it is realtek not Virtio.

Yes I am trying to test it. But no way I can ping the vm. I can not block it. I can provide you Pve details if you want to check.

I can not see any log in pve > vm > firewall log section.
 
Last edited:
dietmar said:
You need to 'Stop' the VM, then start again - a restart is not enough.

Please post the outout of

# brctl show
Click to expand...

Stop and Start did not help.

Code: 
root@vztl4:~# brctl show
bridge name     bridge id               STP enabled     interfaces
fwbr107i0               8000.22f2d7b5e5dc       no              fwln107i0
                                                        tap107i0
vmbr0           8000.3c4a92f75a92       no              eth0
                                                        fwpr107p0
                                                        tap101i0
                                                        tap203i0
                                                        tap300i0
                                                        tap303i0
 
Last edited:
dietmar said:
An what is the output of

# iptables-save
Click to expand...

Code: 
root@vztl4:~# iptables-save
# Generated by iptables-save v1.4.14 on Sat Oct 11 20:59:32 2014
*mangle
:PREROUTING ACCEPT [686161221:991265241388]
:INPUT ACCEPT [661629980:972738307695]
:FORWARD ACCEPT [23634080:18464932755]
:OUTPUT ACCEPT [576414196:577359302517]
:POSTROUTING ACCEPT [599819047:595797073440]
COMMIT
# Completed on Sat Oct 11 20:59:32 2014
# Generated by iptables-save v1.4.14 on Sat Oct 11 20:59:32 2014
*filter
:INPUT ACCEPT [121:6335]
:FORWARD ACCEPT [1659:112643]
:OUTPUT ACCEPT [52:3852]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-VENET-IN - [0:0]
:PVEFW-VENET-OUT - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:tap107i0-IN - [0:0]
:tap107i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-FORWARD -m comment --comment "PVESIG:EqTnWXObv/2sm0UCQAKlplAl6+Y"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap107i0 --physdev-is-bridged -j tap107i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:nHQe8qukPbOjuo/KP4en9yZ5GKE"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap107i0 --physdev-is-bridged -j tap107i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:NnZctJoRZI5u3HSJEVXQVIlLJ3U"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 93.186.125.192/26 -d 93.186.125.192/26 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 93.186.125.192/26 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:HYg34Bd+DD9UyKqc6IXjGl7WTTo"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 93.186.125.192/26 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:4ZcWIVUQ7wS7Vivu/IrwIUcFDVQ"
-A PVEFW-INPUT -i venet0 -m set --match-set PVEFW-0-venet0 src -j PVEFW-VENET-OUT
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:BzyYmT9DMHVl0mK5gEk9RnLGABY"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -o venet0 -m set --match-set PVEFW-0-venet0 dst -j PVEFW-VENET-IN
-A PVEFW-OUTPUT -m comment --comment "PVESIG:XDfaZCom19bXI72jfvIdmv5V9DM"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x1/0xffffffff
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:+w0L1XZmxcTeIy7fBeEAzPUQMiY"
-A PVEFW-VENET-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-VENET-IN -m comment --comment "PVESIG:TVxJ2yaUbjuO4uGIEwWIkLrzqXo"
-A PVEFW-VENET-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:ewllejV/lK5Rjmt/E3xIODQgfYg"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:k8rhuGB1IUidugKwAufSGGgKAZ4"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap107i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap107i0-IN -p icmp -m icmp --icmp-type 8 -j DROP
-A tap107i0-IN -j ACCEPT
-A tap107i0-IN -m comment --comment "PVESIG:FjwaOqWpm9O38UYHbQet4f7XshI"
-A tap107i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap107i0-OUT -m mac ! --mac-source 6A:B1:C3:FA:C3:D2 -j DROP
-A tap107i0-OUT -j MARK --set-xmark 0x0/0xffffffff
-A tap107i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap107i0-OUT -m comment --comment "PVESIG:QWOKaXsoHqpBB2A33ZzIdpstPPo"
COMMIT


There I see:
-A tap107i0-IN -p icmp -m icmp --icmp-type 8 -j DROP

In fact, after leaving pc and come back couple of hours later, I saw that ping was being blocked at ping window. And I tried disabling rule this time ping was successful. But re-enabling rule did not again block ping. So disabling rule took effect right away but enabling it did not.
 
If I stop pinging and logout proxmox gui and wait couple of seconds while rule is enabled, it works fine. So I have to stop ping and restart it again after a short while. Disabling rule does not need ping to be stopped but enabling it need ping stop and start with a short while between.
 
ozgurerdogan said:
If I stop pinging and logout proxmox gui and wait couple of seconds while rule is enabled, it works fine. So I have to stop ping and restart it again after a short while.
Click to expand...

A existing connection (even a PING) is not affected when you change firewall rules. This feature is called connection tracking.
 
You must log in or register to reply here.
Top Bottom