Hi everyone;
When I activate the firewall at the cluster level
1. I have to open port 22 and 8006 unless I loose connection; (which apparently not suppose to happen)
2. my container are unable to communicate with the world.
but as soon I disable the firewall everything is fine.
- I is Proxmox 5 installed on top of Debian 9 as described here
- with a masquered config for IPtables as mentioned here
here my IPTABLES -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
PVEFW-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
PVEFW-FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PVEFW-OUTPUT all -- anywhere anywhere
Chain PVEFW-Drop (2 references)
target prot opt source destination
PVEFW-reject tcp -- anywhere anywhere tcp dpt:whois
PVEFW-DropBroadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
DROP all -- anywhere anywhere ctstate INVALID
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp spt:domain
all -- anywhere anywhere /* PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ */
Chain PVEFW-DropBroadcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type ANYCAST
DROP all -- anywhere base-address.mcast.net/4
all -- anywhere anywhere /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */
Chain PVEFW-FORWARD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN all -- anywhere anywhere PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT all -- anywhere anywhere PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
all -- anywhere anywhere /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */
Chain PVEFW-FWBR-IN (1 references)
target prot opt source destination
PVEFW-smurfs all -- anywhere anywhere ctstate INVALID,NEW
veth9000i0-IN all -- anywhere anywhere PHYSDEV match --physdev-out veth9000i0 --physdev-is-bridged
all -- anywhere anywhere /* PVESIG:2pe3MIKs5JmublkBcuhiL1rUsC0 */
Chain PVEFW-FWBR-OUT (1 references)
target prot opt source destination
veth9000i0-OUT all -- anywhere anywhere PHYSDEV match --physdev-in veth9000i0 --physdev-is-bridged
all -- anywhere anywhere /* PVESIG
H0IVNwqUBlRpqI/xr3kzaatg7Y */
Chain PVEFW-HOST-IN (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
PVEFW-smurfs all -- anywhere anywhere ctstate INVALID,NEW
RETURN igmp -- anywhere anywhere
RETURN tcp -- anywhere anywhere tcp dpt:8006
RETURN tcp -- anywhere anywhere tcp dpt:ssh
RETURN tcp -- anywhere anywhere match-set PVEFW-0-management-v4 src tcp dpt:8006
RETURN tcp -- anywhere anywhere match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN tcp -- anywhere anywhere match-set PVEFW-0-management-v4 src tcp dpt:3128
RETURN tcp -- anywhere anywhere match-set PVEFW-0-management-v4 src tcp dpt:ssh
RETURN udp -- loopback/8 loopback/8 udp dpts:5404:5405
RETURN udp -- loopback/8 anywhere ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405
PVEFW-Drop all -- anywhere anywhere
NFLOG all -- anywhere anywhere nflog-prefix ":0:6VEFW-HOST-IN: policy DROP: "
DROP all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:OcLINyr1lObj5wXlWOJbXoEuMw8 */
Chain PVEFW-HOST-OUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
RETURN igmp -- anywhere anywhere
RETURN tcp -- anywhere loopback/8 tcp dpt:8006
RETURN tcp -- anywhere loopback/8 tcp dpt:ssh
RETURN tcp -- anywhere loopback/8 tcp dpts:5900:5999
RETURN tcp -- anywhere loopback/8 tcp dpt:3128
RETURN udp -- anywhere loopback/8 udp dpts:5404:5405
RETURN udp -- anywhere anywhere ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405
RETURN all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:jELYhEe2h6xFB9obyxYEK0pS3n0 */
Chain PVEFW-INPUT (1 references)
target prot opt source destination
PVEFW-HOST-IN all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */
Chain PVEFW-OUTPUT (1 references)
target prot opt source destination
PVEFW-HOST-OUT all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */
Chain PVEFW-Reject (0 references)
target prot opt source destination
PVEFW-reject tcp -- anywhere anywhere tcp dpt:whois
PVEFW-DropBroadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
DROP all -- anywhere anywhere ctstate INVALID
PVEFW-reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds
PVEFW-reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
PVEFW-reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535
PVEFW-reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp spt:domain
all -- anywhere anywhere /* PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo */
Chain PVEFW-SET-ACCEPT-MARK (2 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x80000000
all -- anywhere anywhere /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */
Chain PVEFW-logflags (5 references)
target prot opt source destination
DROP all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */
Chain PVEFW-reject (6 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
all -- anywhere anywhere /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */
Chain PVEFW-smurflog (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */
Chain PVEFW-smurfs (2 references)
target prot opt source destination
RETURN all -- default anywhere
PVEFW-smurflog all -- anywhere anywhere [goto] ADDRTYPE match src-type BROADCAST
PVEFW-smurflog all -- base-address.mcast.net/4 anywhere [goto]
all -- anywhere anywhere /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */
Chain PVEFW-tcpflags (0 references)
target prot opt source destination
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp flags:SYN,RST/SYN,RST
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp flags:FIN,SYN/FIN,SYN
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
all -- anywhere anywhere /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */
Chain veth9000i0-IN (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
PVEFW-Drop all -- anywhere anywhere
NFLOG all -- anywhere anywhere nflog-prefix ":9000:6:veth9000i0-IN: policy DROP: "
DROP all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:9aLdQLZMUCJMOYqqV66Ynt6mK2U */
Chain veth9000i0-OUT (1 references)
target prot opt source destination
PVEFW-SET-ACCEPT-MARK udp -- anywhere anywhere [goto] udp spt:bootpc dpt:bootps
DROP all -- anywhere anywhere MAC ! D2:34:6C:66:53:7E
MARK all -- anywhere anywhere MARK and 0x7fffffff
PVEFW-SET-ACCEPT-MARK all -- anywhere anywhere [goto]
all -- anywhere anywhere /* PVESIG:hYw0VqUREb6x7yfS2mCtWldEE+Q */
If anyone have any idea I'll be glad to try it
thanks for your help
When I activate the firewall at the cluster level
1. I have to open port 22 and 8006 unless I loose connection; (which apparently not suppose to happen)
2. my container are unable to communicate with the world.
but as soon I disable the firewall everything is fine.
- I is Proxmox 5 installed on top of Debian 9 as described here
- with a masquered config for IPtables as mentioned here
here my IPTABLES -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
PVEFW-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
PVEFW-FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PVEFW-OUTPUT all -- anywhere anywhere
Chain PVEFW-Drop (2 references)
target prot opt source destination
PVEFW-reject tcp -- anywhere anywhere tcp dpt:whois
PVEFW-DropBroadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
DROP all -- anywhere anywhere ctstate INVALID
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp spt:domain
all -- anywhere anywhere /* PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ */
Chain PVEFW-DropBroadcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type ANYCAST
DROP all -- anywhere base-address.mcast.net/4
all -- anywhere anywhere /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */
Chain PVEFW-FORWARD (1 references)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN all -- anywhere anywhere PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT all -- anywhere anywhere PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
all -- anywhere anywhere /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */
Chain PVEFW-FWBR-IN (1 references)
target prot opt source destination
PVEFW-smurfs all -- anywhere anywhere ctstate INVALID,NEW
veth9000i0-IN all -- anywhere anywhere PHYSDEV match --physdev-out veth9000i0 --physdev-is-bridged
all -- anywhere anywhere /* PVESIG:2pe3MIKs5JmublkBcuhiL1rUsC0 */
Chain PVEFW-FWBR-OUT (1 references)
target prot opt source destination
veth9000i0-OUT all -- anywhere anywhere PHYSDEV match --physdev-in veth9000i0 --physdev-is-bridged
all -- anywhere anywhere /* PVESIG
H0IVNwqUBlRpqI/xr3kzaatg7Y */Chain PVEFW-HOST-IN (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
PVEFW-smurfs all -- anywhere anywhere ctstate INVALID,NEW
RETURN igmp -- anywhere anywhere
RETURN tcp -- anywhere anywhere tcp dpt:8006
RETURN tcp -- anywhere anywhere tcp dpt:ssh
RETURN tcp -- anywhere anywhere match-set PVEFW-0-management-v4 src tcp dpt:8006
RETURN tcp -- anywhere anywhere match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN tcp -- anywhere anywhere match-set PVEFW-0-management-v4 src tcp dpt:3128
RETURN tcp -- anywhere anywhere match-set PVEFW-0-management-v4 src tcp dpt:ssh
RETURN udp -- loopback/8 loopback/8 udp dpts:5404:5405
RETURN udp -- loopback/8 anywhere ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405
PVEFW-Drop all -- anywhere anywhere
NFLOG all -- anywhere anywhere nflog-prefix ":0:6
VEFW-HOST-IN: policy DROP: "DROP all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:OcLINyr1lObj5wXlWOJbXoEuMw8 */
Chain PVEFW-HOST-OUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
RETURN igmp -- anywhere anywhere
RETURN tcp -- anywhere loopback/8 tcp dpt:8006
RETURN tcp -- anywhere loopback/8 tcp dpt:ssh
RETURN tcp -- anywhere loopback/8 tcp dpts:5900:5999
RETURN tcp -- anywhere loopback/8 tcp dpt:3128
RETURN udp -- anywhere loopback/8 udp dpts:5404:5405
RETURN udp -- anywhere anywhere ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405
RETURN all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:jELYhEe2h6xFB9obyxYEK0pS3n0 */
Chain PVEFW-INPUT (1 references)
target prot opt source destination
PVEFW-HOST-IN all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */
Chain PVEFW-OUTPUT (1 references)
target prot opt source destination
PVEFW-HOST-OUT all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */
Chain PVEFW-Reject (0 references)
target prot opt source destination
PVEFW-reject tcp -- anywhere anywhere tcp dpt:whois
PVEFW-DropBroadcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
DROP all -- anywhere anywhere ctstate INVALID
PVEFW-reject udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds
PVEFW-reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
PVEFW-reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535
PVEFW-reject tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere anywhere udp spt:domain
all -- anywhere anywhere /* PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo */
Chain PVEFW-SET-ACCEPT-MARK (2 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x80000000
all -- anywhere anywhere /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */
Chain PVEFW-logflags (5 references)
target prot opt source destination
DROP all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */
Chain PVEFW-reject (6 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- base-address.mcast.net/4 anywhere
DROP icmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
all -- anywhere anywhere /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */
Chain PVEFW-smurflog (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */
Chain PVEFW-smurfs (2 references)
target prot opt source destination
RETURN all -- default anywhere
PVEFW-smurflog all -- anywhere anywhere [goto] ADDRTYPE match src-type BROADCAST
PVEFW-smurflog all -- base-address.mcast.net/4 anywhere [goto]
all -- anywhere anywhere /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */
Chain PVEFW-tcpflags (0 references)
target prot opt source destination
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp flags:SYN,RST/SYN,RST
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp flags:FIN,SYN/FIN,SYN
PVEFW-logflags tcp -- anywhere anywhere [goto] tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
all -- anywhere anywhere /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */
Chain veth9000i0-IN (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
PVEFW-Drop all -- anywhere anywhere
NFLOG all -- anywhere anywhere nflog-prefix ":9000:6:veth9000i0-IN: policy DROP: "
DROP all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:9aLdQLZMUCJMOYqqV66Ynt6mK2U */
Chain veth9000i0-OUT (1 references)
target prot opt source destination
PVEFW-SET-ACCEPT-MARK udp -- anywhere anywhere [goto] udp spt:bootpc dpt:bootps
DROP all -- anywhere anywhere MAC ! D2:34:6C:66:53:7E
MARK all -- anywhere anywhere MARK and 0x7fffffff
PVEFW-SET-ACCEPT-MARK all -- anywhere anywhere [goto]
all -- anywhere anywhere /* PVESIG:hYw0VqUREb6x7yfS2mCtWldEE+Q */
If anyone have any idea I'll be glad to try it
thanks for your help