CT with firewall have no internet

A

aeris

Active Member
Aug 19, 2018
6
0
41
43
Hello,

I have an issue, I want to use embeded firewall with one public IP, and the container can't access to internet.

Code: 
enable: 1
policy_in: ACCEPT

[RULES]

IN SSH(ACCEPT) -log nolog
IN ACCEPT -p tcp -dport 8006 -log nolog

root@opale:~# cat /etc/pve/firewall/100.fw
[OPTIONS]

policy_in: ACCEPT
enable: 1

[ALIASES]

CT100 192.168.0.100

[RULES]

IN SMTPS(ACCEPT) -log nolog
IN SMTP(ACCEPT) -log nolog
IN IMAPS(ACCEPT) -log nolog
IN IMAP(ACCEPT) -log nolog
IN POP3S(ACCEPT) -log nolog
IN POP3(ACCEPT) -log nolog
IN Web(ACCEPT) -log nolog
IN ACCEPT -dest ct100 -p tcp -dport 22 -sport 22100 -log nolog # SSH

root@opale:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:25:90:0e:44:a8 brd ff:ff:ff:ff:ff:ff
    inet 91.121.xx.xx/24 brd 91.121.xx.255 scope global dynamic enp4s0
       valid_lft 67403sec preferred_lft 67403sec
    inet6 fe80::225:90ff:fe0e:44a8/64 scope link
       valid_lft forever preferred_lft forever
3: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:25:90:0e:44:a9 brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 46:b3:c6:08:73:4d brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global vmbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::78bf:37ff:fe4e:6f89/64 scope link
       valid_lft forever preferred_lft forever
11: veth100i0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i0 state UP group default qlen 1000
    link/ether fe:f1:f7:e4:4b:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
12: fwbr100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d2:f9:b3:32:6f:86 brd ff:ff:ff:ff:ff:ff
13: fwpr100p0@fwln100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
    link/ether 46:b3:c6:08:73:4d brd ff:ff:ff:ff:ff:ff
14: fwln100i0@fwpr100p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i0 state UP group default qlen 1000
    link/ether d2:f9:b3:32:6f:86 brd ff:ff:ff:ff:ff:ff




CONTAINER :

root@agate:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        gateway 192.168.0.1

root@agate:~# traceroute google.fr
google.fr: Temporary failure in name resolution
Cannot handle "host" cmdline arg `google.fr' on position 1 (argc 1)
root@agate:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1  192.168.0.1 (192.168.0.1)  0.048 ms  0.023 ms  0.022 ms
2  * * *
...

Thanks.
 
Last edited:
Bash: 
root@opale:~# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

PVEFW-INPUT  all  --  anywhere             anywhere


Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

PVEFW-FORWARD  all  --  anywhere             anywhere


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

PVEFW-OUTPUT  all  --  anywhere             anywhere


Chain PVEFW-Drop (0 references)

target     prot opt source               destination

PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois

PVEFW-DropBroadcast  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed

ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded

DROP       all  --  anywhere             anywhere             ctstate INVALID

DROP       udp  --  anywhere             anywhere             multiport dports epmap,microsoft-ds

DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn

DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535

DROP       tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds

DROP       udp  --  anywhere             anywhere             udp dpt:1900

DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN

DROP       udp  --  anywhere             anywhere             udp spt:domain

           all  --  anywhere             anywhere             /* PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ */


Chain PVEFW-DropBroadcast (2 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST

DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST

DROP       all  --  anywhere             base-address.mcast.net/4

           all  --  anywhere             anywhere             /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */


Chain PVEFW-FORWARD (1 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere             ctstate INVALID

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

PVEFW-FWBR-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged

PVEFW-FWBR-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged

           all  --  anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */


Chain PVEFW-FWBR-IN (1 references)

target     prot opt source               destination

PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW

veth100i0-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-out veth100i0 --physdev-is-bridged

           all  --  anywhere             anywhere             /* PVESIG:4OE5DGCM8EKNLmQbkV3LIx5w1QM */


Chain PVEFW-FWBR-OUT (1 references)

target     prot opt source               destination

veth100i0-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-in veth100i0 --physdev-is-bridged

           all  --  anywhere             anywhere             /* PVESIG:lXaefvpIDNAYTJwiaBF5f1+faEw */


Chain PVEFW-HOST-IN (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW

RETURN     igmp --  anywhere             anywhere

RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh

RETURN     tcp  --  anywhere             anywhere             tcp dpt:8006

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:8006

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:5900:5999

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:3128

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:ssh

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:60000:60050

RETURN     all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:mn9IoxuwBw+SLQ5pjtAC6PS4BJY */


Chain PVEFW-HOST-OUT (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

RETURN     igmp --  anywhere             anywhere

RETURN     tcp  --  anywhere             91.121.xx.0/24      tcp dpt:8006

RETURN     tcp  --  anywhere             91.121.xx.0/24      tcp dpt:ssh

RETURN     tcp  --  anywhere             91.121.xx.0/24      tcp dpts:5900:5999

RETURN     tcp  --  anywhere             91.121.xx.0/24      tcp dpt:3128

RETURN     all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:tN93WXM9TRrtDNwpiEQeJvC2jQQ */


Chain PVEFW-INPUT (1 references)

target     prot opt source               destination

PVEFW-HOST-IN  all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */


Chain PVEFW-OUTPUT (1 references)

target     prot opt source               destination

PVEFW-HOST-OUT  all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */


Chain PVEFW-Reject (0 references)

target     prot opt source               destination

PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois

PVEFW-DropBroadcast  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed

ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded

DROP       all  --  anywhere             anywhere             ctstate INVALID

PVEFW-reject  udp  --  anywhere             anywhere             multiport dports epmap,microsoft-ds

PVEFW-reject  udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn

PVEFW-reject  udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535

PVEFW-reject  tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds

DROP       udp  --  anywhere             anywhere             udp dpt:1900

DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN

DROP       udp  --  anywhere             anywhere             udp spt:domain

           all  --  anywhere             anywhere             /* PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo */


Chain PVEFW-SET-ACCEPT-MARK (2 references)

target     prot opt source               destination

MARK       all  --  anywhere             anywhere             MARK or 0x80000000

           all  --  anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */


Chain PVEFW-logflags (5 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */
 
Bash: 
Chain PVEFW-reject (6 references)


target     prot opt source               destination


DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST


DROP       all  --  base-address.mcast.net/4  anywhere


DROP       icmp --  anywhere             anywhere


REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset


REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable


REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable


REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited


           all  --  anywhere             anywhere             /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */



Chain PVEFW-smurflog (2 references)


target     prot opt source               destination


DROP       all  --  anywhere             anywhere


           all  --  anywhere             anywhere             /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */



Chain PVEFW-smurfs (2 references)


target     prot opt source               destination


RETURN     all  --  0.0.0.0              anywhere


PVEFW-smurflog  all  --  anywhere             anywhere            [goto]  ADDRTYPE match src-type BROADCAST


PVEFW-smurflog  all  --  base-address.mcast.net/4  anywhere            [goto]


           all  --  anywhere             anywhere             /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */



Chain PVEFW-tcpflags (0 references)


target     prot opt source               destination


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN


           all  --  anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */



Chain veth100i0-IN (1 references)


target     prot opt source               destination


ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submissions


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https


ACCEPT     tcp  --  anywhere             192.168.0.100        tcp spt:22100 dpt:ssh


ACCEPT     all  --  anywhere             anywhere


           all  --  anywhere             anywhere             /* PVESIG:U14km5lGYIZuGxpdFFShALo767k */



Chain veth100i0-OUT (1 references)


target     prot opt source               destination


PVEFW-SET-ACCEPT-MARK  udp  --  anywhere             anywhere            [goto]  udp spt:bootpc dpt:bootps


DROP       all  --  anywhere             anywhere             MAC ! 82:10:F1:13:81:B5


MARK       all  --  anywhere             anywhere             MARK and 0x7fffffff


PVEFW-SET-ACCEPT-MARK  all  --  anywhere             anywhere            [goto]


           all  --  anywhere             anywhere             /* PVESIG:7NjvPzJvw72YcN9VRjSALmQWgZ8 */
 
You must log in or register to reply here.
Top Bottom