Cluster Firewall

[TechLineX]

Hello,

I tried to block incomeing port 111. It´s not possible to disable the rpcbind service, because we use nfs as internal storage.

The cluster is set up with 3 nodes.

root@host1:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 30M packets, 45G bytes)
pkts bytes target prot opt in out source destination
1087 57653 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:11211
505 20576 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:11211
310 23937 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5353
18154 1525K ACCEPT udp -- * * 172.16.0.0/16 0.0.0.0/0 udp dpt:111
0 0 ACCEPT udp -- * * 127.0.0.1 0.0.0.0/0 udp dpt:111
307K 21M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 24M packets, 111G bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp dpt:111

root@host2:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 90M packets, 138G bytes)
pkts bytes target prot opt in out source destination
18147 1524K ACCEPT udp -- * * 172.16.0.0/16 0.0.0.0/0 udp dpt:111
0 0 ACCEPT udp -- * * 127.0.0.1 0.0.0.0/0 udp dpt:111
316K 21M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 60M packets, 233G bytes)
pkts bytes target prot opt in out source destination



root@host3:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 95M packets, 188G bytes)
pkts bytes target prot opt in out source destination
18156 1525K ACCEPT udp -- * * 172.16.0.0/16 0.0.0.0/0 udp dpt:111
0 0 ACCEPT udp -- * * 127.0.0.1 0.0.0.0/0 udp dpt:111
349K 24M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 78M packets, 194G bytes)
pkts bytes target prot opt in out source destination

But port 111 is still open from the internet. Is there another way to close this port?

Thank you in advance.

 

[TechLineX]

Bump

 

[rhonda]

I tried to reproduce this but the rules look fine. How did you test that it's still open from the internet? Is maybe routing coming through 172.16.0.0/16 via NAT?

Notice that this just filters incoming traffic. Also depending on your environment, often REJECT rules are more helpful than DROP because they play nicer with the network and timeouts/retries.

 

[TechLineX]

I used nmap & https://www.yougetsignal.com/tools/open-ports/
No, there is no NAT via 172.16.0.0/16.

Can I check, if the firewall is active?
Is it correct, that I have to set the ip tables rule for all servers?

 

[Stoiko Ivanov]

hm - at least on my system rpcbind listens to both UDP+TCP (just thought of it because you mentioned nmap, which by default scans for open TCP ports).
The rules you posted are a bit mixed - you drop udp 111 on INPUT (which is applied as you see in the first 2 counter columns), and on one host you drop tcp 111 on OUTPUT (which does not apply)

I would add the rules for both protocols (UDP+TCP) on the INPUT chain.
also - just to make sure - check the output of `iptables -nvL -t nat` - to make sure there is no port-forwarding going on.

 

[TechLineX]

There should be also the possability to set this up with the pve firewall, correct? How to set this up? I want to block the ports for my vms.

As I already read, it´s neccessary to enable the firewall at datacenter, host and vm. After that, I have to create a rule for each vm? Is there a possiblity to block the traffic at the datacenter-level (means for all hosts and vms)?

Best regards

 

[Stoiko Ivanov]

please take a look at our reference documentation: https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html
That should answer most questions