CT with firewall have no internet

A

aeris

Active Member
Aug 19, 2018
6
0
41
42
Hello,

I have an issue, I want to use embeded firewall with one public IP, and the container can't access to internet.

Code: 
enable: 1
policy_in: ACCEPT

[RULES]

IN SSH(ACCEPT) -log nolog
IN ACCEPT -p tcp -dport 8006 -log nolog

root@opale:~# cat /etc/pve/firewall/100.fw
[OPTIONS]

policy_in: ACCEPT
enable: 1

[ALIASES]

CT100 192.168.0.100

[RULES]

IN SMTPS(ACCEPT) -log nolog
IN SMTP(ACCEPT) -log nolog
IN IMAPS(ACCEPT) -log nolog
IN IMAP(ACCEPT) -log nolog
IN POP3S(ACCEPT) -log nolog
IN POP3(ACCEPT) -log nolog
IN Web(ACCEPT) -log nolog
IN ACCEPT -dest ct100 -p tcp -dport 22 -sport 22100 -log nolog # SSH

root@opale:~# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:25:90:0e:44:a8 brd ff:ff:ff:ff:ff:ff
    inet 91.121.xx.xx/24 brd 91.121.xx.255 scope global dynamic enp4s0
       valid_lft 67403sec preferred_lft 67403sec
    inet6 fe80::225:90ff:fe0e:44a8/64 scope link
       valid_lft forever preferred_lft forever
3: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:25:90:0e:44:a9 brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 46:b3:c6:08:73:4d brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global vmbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::78bf:37ff:fe4e:6f89/64 scope link
       valid_lft forever preferred_lft forever
11: veth100i0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i0 state UP group default qlen 1000
    link/ether fe:f1:f7:e4:4b:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
12: fwbr100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d2:f9:b3:32:6f:86 brd ff:ff:ff:ff:ff:ff
13: fwpr100p0@fwln100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
    link/ether 46:b3:c6:08:73:4d brd ff:ff:ff:ff:ff:ff
14: fwln100i0@fwpr100p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i0 state UP group default qlen 1000
    link/ether d2:f9:b3:32:6f:86 brd ff:ff:ff:ff:ff:ff




CONTAINER :

root@agate:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        gateway 192.168.0.1

root@agate:~# traceroute google.fr
google.fr: Temporary failure in name resolution
Cannot handle "host" cmdline arg `google.fr' on position 1 (argc 1)
root@agate:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1  192.168.0.1 (192.168.0.1)  0.048 ms  0.023 ms  0.022 ms
2  * * *
...

Thanks.
 
Last edited:
Bash: 
root@opale:~# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

PVEFW-INPUT  all  --  anywhere             anywhere


Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

PVEFW-FORWARD  all  --  anywhere             anywhere


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

PVEFW-OUTPUT  all  --  anywhere             anywhere


Chain PVEFW-Drop (0 references)

target     prot opt source               destination

PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois

PVEFW-DropBroadcast  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed

ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded

DROP       all  --  anywhere             anywhere             ctstate INVALID

DROP       udp  --  anywhere             anywhere             multiport dports epmap,microsoft-ds

DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn

DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535

DROP       tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds

DROP       udp  --  anywhere             anywhere             udp dpt:1900

DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN

DROP       udp  --  anywhere             anywhere             udp spt:domain

           all  --  anywhere             anywhere             /* PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ */


Chain PVEFW-DropBroadcast (2 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST

DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST

DROP       all  --  anywhere             base-address.mcast.net/4

           all  --  anywhere             anywhere             /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */


Chain PVEFW-FORWARD (1 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere             ctstate INVALID

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

PVEFW-FWBR-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged

PVEFW-FWBR-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged

           all  --  anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */


Chain PVEFW-FWBR-IN (1 references)

target     prot opt source               destination

PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW

veth100i0-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-out veth100i0 --physdev-is-bridged

           all  --  anywhere             anywhere             /* PVESIG:4OE5DGCM8EKNLmQbkV3LIx5w1QM */


Chain PVEFW-FWBR-OUT (1 references)

target     prot opt source               destination

veth100i0-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-in veth100i0 --physdev-is-bridged

           all  --  anywhere             anywhere             /* PVESIG:lXaefvpIDNAYTJwiaBF5f1+faEw */


Chain PVEFW-HOST-IN (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW

RETURN     igmp --  anywhere             anywhere

RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh

RETURN     tcp  --  anywhere             anywhere             tcp dpt:8006

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:8006

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:5900:5999

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:3128

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:ssh

RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:60000:60050

RETURN     all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:mn9IoxuwBw+SLQ5pjtAC6PS4BJY */


Chain PVEFW-HOST-OUT (1 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

RETURN     igmp --  anywhere             anywhere

RETURN     tcp  --  anywhere             91.121.xx.0/24      tcp dpt:8006

RETURN     tcp  --  anywhere             91.121.xx.0/24      tcp dpt:ssh

RETURN     tcp  --  anywhere             91.121.xx.0/24      tcp dpts:5900:5999

RETURN     tcp  --  anywhere             91.121.xx.0/24      tcp dpt:3128

RETURN     all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:tN93WXM9TRrtDNwpiEQeJvC2jQQ */


Chain PVEFW-INPUT (1 references)

target     prot opt source               destination

PVEFW-HOST-IN  all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */


Chain PVEFW-OUTPUT (1 references)

target     prot opt source               destination

PVEFW-HOST-OUT  all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */


Chain PVEFW-Reject (0 references)

target     prot opt source               destination

PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois

PVEFW-DropBroadcast  all  --  anywhere             anywhere

ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed

ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded

DROP       all  --  anywhere             anywhere             ctstate INVALID

PVEFW-reject  udp  --  anywhere             anywhere             multiport dports epmap,microsoft-ds

PVEFW-reject  udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn

PVEFW-reject  udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535

PVEFW-reject  tcp  --  anywhere             anywhere             multiport dports epmap,netbios-ssn,microsoft-ds

DROP       udp  --  anywhere             anywhere             udp dpt:1900

DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN

DROP       udp  --  anywhere             anywhere             udp spt:domain

           all  --  anywhere             anywhere             /* PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo */


Chain PVEFW-SET-ACCEPT-MARK (2 references)

target     prot opt source               destination

MARK       all  --  anywhere             anywhere             MARK or 0x80000000

           all  --  anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */


Chain PVEFW-logflags (5 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere

           all  --  anywhere             anywhere             /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */
 
Bash: 
Chain PVEFW-reject (6 references)


target     prot opt source               destination


DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST


DROP       all  --  base-address.mcast.net/4  anywhere


DROP       icmp --  anywhere             anywhere


REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset


REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable


REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable


REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited


           all  --  anywhere             anywhere             /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */



Chain PVEFW-smurflog (2 references)


target     prot opt source               destination


DROP       all  --  anywhere             anywhere


           all  --  anywhere             anywhere             /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */



Chain PVEFW-smurfs (2 references)


target     prot opt source               destination


RETURN     all  --  0.0.0.0              anywhere


PVEFW-smurflog  all  --  anywhere             anywhere            [goto]  ADDRTYPE match src-type BROADCAST


PVEFW-smurflog  all  --  base-address.mcast.net/4  anywhere            [goto]


           all  --  anywhere             anywhere             /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */



Chain PVEFW-tcpflags (0 references)


target     prot opt source               destination


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN


PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN


           all  --  anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */



Chain veth100i0-IN (1 references)


target     prot opt source               destination


ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submissions


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http


ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https


ACCEPT     tcp  --  anywhere             192.168.0.100        tcp spt:22100 dpt:ssh


ACCEPT     all  --  anywhere             anywhere


           all  --  anywhere             anywhere             /* PVESIG:U14km5lGYIZuGxpdFFShALo767k */



Chain veth100i0-OUT (1 references)


target     prot opt source               destination


PVEFW-SET-ACCEPT-MARK  udp  --  anywhere             anywhere            [goto]  udp spt:bootpc dpt:bootps


DROP       all  --  anywhere             anywhere             MAC ! 82:10:F1:13:81:B5


MARK       all  --  anywhere             anywhere             MARK and 0x7fffffff


PVEFW-SET-ACCEPT-MARK  all  --  anywhere             anywhere            [goto]


           all  --  anywhere             anywhere             /* PVESIG:7NjvPzJvw72YcN9VRjSALmQWgZ8 */
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back