I have a firewall problem with my server.
Host Node and all other Containers/VM are located on a Class C Network.
All VM and Containers have a default Output Policy set to REJECT and only have designated addresses they are allowed to connect to.
My problem is now that all rules are working properly when accessing the VM/CT from any outside computer, BUT the Containers are not reachable from the host node!
The firewall is switched on for the Datacenter, the Host Node and the VM/CT.
The weird thing is that everything works perfect as long as the Output Policy is ACCEPT, but once it is switched to REJECT, the Host cannot connect any more.
In the firewall logs I cannot find anything.
Please let me know which information you need for further debugging.
Thank you!
Jörg
My PVE version is:
proxmox-ve-2.6.32: 3.4-163 (running kernel: 2.6.32-41-pve)
pve-manager: 3.4-9 (running version: 3.4-9/4b51d87a)
pve-kernel-2.6.32-40-pve: 2.6.32-160
pve-kernel-2.6.32-39-pve: 2.6.32-157
pve-kernel-2.6.32-41-pve: 2.6.32-163
pve-kernel-2.6.32-26-pve: 2.6.32-114
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.7-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.10-3
pve-cluster: 3.0-19
qemu-server: 3.4-6
pve-firmware: 1.1-4
libpve-common-perl: 3.0-24
libpve-access-control: 3.0-16
libpve-storage-perl: 3.0-33
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-8
vzctl: 4.0-1pve6
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 2.2-11
ksm-control-daemon: 1.1-1
glusterfs-client: 3.5.2-1
ifconfig
eth0 Link encap:Ethernet Hardware Adresse 54:a0:50:d5:e5:be
inet6-Adresse: fe80::56a0:50ff:fed5:e5be/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:39842992 errors:0 dropped:0 overruns:0 frame:0
TX packets:62253890 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:12769441438 (11.8 GiB) TX bytes:87196521496 (81.2 GiB)
fwbr100i0 Link encap:Ethernet Hardware Adresse 4a:0f:d0:1c:ab:15
inet6-Adresse: fe80::400:3aff:fe48:51c5/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:25201 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:1900388 (1.8 MiB) TX bytes:0 (0.0 B)
fwln100i0 Link encap:Ethernet Hardware Adresse 4a:0f:d0:1c:ab:15
inet6-Adresse: fe80::480f:d0ff:fe1c:ab15/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:33432433 errors:0 dropped:0 overruns:0 frame:0
TX packets:19999336 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:12373809539 (11.5 GiB) TX bytes:86608561813 (80.6 GiB)
fwpr100p0 Link encap:Ethernet Hardware Adresse 8a:67:60:2b:87:d3
inet6-Adresse: fe80::8867:60ff:fe2b:87d3/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:19999336 errors:0 dropped:0 overruns:0 frame:0
TX packets:33432433 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:86608561813 (80.6 GiB) TX bytes:12373809539 (11.5 GiB)
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:65536 Metrik:1
RX packets:87974 errors:0 dropped:0 overruns:0 frame:0
TX packets:87974 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:93876495 (89.5 MiB) TX bytes:93876495 (89.5 MiB)
tap100i0 Link encap:Ethernet Hardware Adresse fe:17:84:45:66:e8
inet6-Adresse: fe80::fc17:84ff:fe45:66e8/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metrik:1
RX packets:20057315 errors:0 dropped:0 overruns:0 frame:0
TX packets:33352057 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:500
RX bytes:86612839906 (80.6 GiB) TX bytes:12366165256 (11.5 GiB)
venet0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6-Adresse: fe80::1/128 Gültigkeitsbereich:Verbindung
UP BROADCAST PUNKTZUPUNKT RUNNING NOARP MTU:1500 Metrik:1
RX packets:31238235 errors:0 dropped:0 overruns:0 frame:0
TX packets:41971707 errors:0 dropped:4 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:30876727916 (28.7 GiB) TX bytes:38043503629 (35.4 GiB)
vmbr0 Link encap:Ethernet Hardware Adresse 54:a0:50:d5:e5:be
inet Adresse:192.168.X.249 Bcast:192.168.X.255 Maske:255.255.255.0
inet6-Adresse: fe80::56a0:50ff:fed5:e5be/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:24492317 errors:0 dropped:0 overruns:0 frame:0
TX packets:31923742 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:37226555266 (34.6 GiB) TX bytes:36399035765 (33.8 GiB)
pve-firewall status
Status: enabled/running (pending changes)
Host Node and all other Containers/VM are located on a Class C Network.
All VM and Containers have a default Output Policy set to REJECT and only have designated addresses they are allowed to connect to.
My problem is now that all rules are working properly when accessing the VM/CT from any outside computer, BUT the Containers are not reachable from the host node!
The firewall is switched on for the Datacenter, the Host Node and the VM/CT.
The weird thing is that everything works perfect as long as the Output Policy is ACCEPT, but once it is switched to REJECT, the Host cannot connect any more.
In the firewall logs I cannot find anything.
Please let me know which information you need for further debugging.
Thank you!
Jörg
My PVE version is:
proxmox-ve-2.6.32: 3.4-163 (running kernel: 2.6.32-41-pve)
pve-manager: 3.4-9 (running version: 3.4-9/4b51d87a)
pve-kernel-2.6.32-40-pve: 2.6.32-160
pve-kernel-2.6.32-39-pve: 2.6.32-157
pve-kernel-2.6.32-41-pve: 2.6.32-163
pve-kernel-2.6.32-26-pve: 2.6.32-114
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.7-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.10-3
pve-cluster: 3.0-19
qemu-server: 3.4-6
pve-firmware: 1.1-4
libpve-common-perl: 3.0-24
libpve-access-control: 3.0-16
libpve-storage-perl: 3.0-33
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-8
vzctl: 4.0-1pve6
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 2.2-11
ksm-control-daemon: 1.1-1
glusterfs-client: 3.5.2-1
ifconfig
eth0 Link encap:Ethernet Hardware Adresse 54:a0:50:d5:e5:be
inet6-Adresse: fe80::56a0:50ff:fed5:e5be/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:39842992 errors:0 dropped:0 overruns:0 frame:0
TX packets:62253890 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:12769441438 (11.8 GiB) TX bytes:87196521496 (81.2 GiB)
fwbr100i0 Link encap:Ethernet Hardware Adresse 4a:0f:d0:1c:ab:15
inet6-Adresse: fe80::400:3aff:fe48:51c5/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:25201 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:1900388 (1.8 MiB) TX bytes:0 (0.0 B)
fwln100i0 Link encap:Ethernet Hardware Adresse 4a:0f:d0:1c:ab:15
inet6-Adresse: fe80::480f:d0ff:fe1c:ab15/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:33432433 errors:0 dropped:0 overruns:0 frame:0
TX packets:19999336 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:12373809539 (11.5 GiB) TX bytes:86608561813 (80.6 GiB)
fwpr100p0 Link encap:Ethernet Hardware Adresse 8a:67:60:2b:87:d3
inet6-Adresse: fe80::8867:60ff:fe2b:87d3/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:19999336 errors:0 dropped:0 overruns:0 frame:0
TX packets:33432433 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:86608561813 (80.6 GiB) TX bytes:12373809539 (11.5 GiB)
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:65536 Metrik:1
RX packets:87974 errors:0 dropped:0 overruns:0 frame:0
TX packets:87974 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:93876495 (89.5 MiB) TX bytes:93876495 (89.5 MiB)
tap100i0 Link encap:Ethernet Hardware Adresse fe:17:84:45:66:e8
inet6-Adresse: fe80::fc17:84ff:fe45:66e8/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metrik:1
RX packets:20057315 errors:0 dropped:0 overruns:0 frame:0
TX packets:33352057 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:500
RX bytes:86612839906 (80.6 GiB) TX bytes:12366165256 (11.5 GiB)
venet0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet6-Adresse: fe80::1/128 Gültigkeitsbereich:Verbindung
UP BROADCAST PUNKTZUPUNKT RUNNING NOARP MTU:1500 Metrik:1
RX packets:31238235 errors:0 dropped:0 overruns:0 frame:0
TX packets:41971707 errors:0 dropped:4 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:30876727916 (28.7 GiB) TX bytes:38043503629 (35.4 GiB)
vmbr0 Link encap:Ethernet Hardware Adresse 54:a0:50:d5:e5:be
inet Adresse:192.168.X.249 Bcast:192.168.X.255 Maske:255.255.255.0
inet6-Adresse: fe80::56a0:50ff:fed5:e5be/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:24492317 errors:0 dropped:0 overruns:0 frame:0
TX packets:31923742 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:37226555266 (34.6 GiB) TX bytes:36399035765 (33.8 GiB)
pve-firewall status
Status: enabled/running (pending changes)
Last edited: