Datacenter firewall does not work with server's linux vlan.

meocon12

Renowned Member
Aug 7, 2014
23
0
66
Hello,
I am having problems with linux VLAN installed on the server.
I see that the Datacenter firewall does not work with the server's linux vlan.

Below is my interface configuration.
6: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 73:10:24:fc:b4:84 brd ff:ff:ff:ff:ff:ff
inet 192.162.31.202/24 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::7220:82ff:fefc:b214/64 scope link
valid_lft forever preferred_lft forever
7: vlan201@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 73:10:24:fc:b4:84 brd ff:ff:ff:ff:ff:ff
inet 102.212.121.312/24 scope global vlan21
valid_lft forever preferred_lft forever
inet6 fe80::7220:82ff:fefc:b214/64 scope link
valid_lft forever preferred_lft forever

Do you have any way for me to use a firewall for the above vlan?

Thank you!
 
Hello,
Can anyone assist me?
I can't use firewall for linux vlan for proxmox server.
It only works with the default bridge.
I use proxmox 8.1.4.
 
Hi!

Can you post your firewall configuration? (cat /etc/pve/firewall/cluster.fw)
Can you post the current iptables rules? (iptables-save)
What exactly isn't working and how are you testing it? (e.g. ping,...)

Please post output in CODE tags, so it is more readable.

inet 102.212.121.312/24 scope global vlan21

Is this anonymized by you or do you actually have 312 configured? Maximum is 255
 
  • Like
Reactions: meocon12
Hello,
Below is the information:
cat /etc/pve/firewall/cluster.fw
Code:
cat /etc/pve/firewall/cluster.fw
[OPTIONS]

policy_in: DROP
enable: 1

[IPSET myip]

10.10.68.149
10.10.68.150
10.10.68.151
10.10.68.152
10.10.68.153
192.168.22.0/24
192.168.23.0/24

[RULES]

IN ACCEPT -dest +dc/myip -log nolog
IN SSH(ACCEPT) -log nolog
IN Web(ACCEPT) -log nolog
IN Ping(ACCEPT) -log nolog

iptables-save
Code:
 iptables-save
# Generated by iptables-save v1.8.9 on Sat Apr 13 09:11:55 2024
*raw
:PREROUTING ACCEPT [1449314067:8006756262462]
:OUTPUT ACCEPT [931208342:5612190674497]
COMMIT
# Completed on Sat Apr 13 09:11:55 2024
# Generated by iptables-save v1.8.9 on Sat Apr 13 09:11:55 2024
*filter
:INPUT ACCEPT [243560:13847197]
:FORWARD ACCEPT [1759895:206047042]
:OUTPUT ACCEPT [78921:4744068]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:tap1095i0-IN - [0:0]
:tap1095i0-OUT - [0:0]
:tap1271i0-IN - [0:0]
:tap1271i0-OUT - [0:0]
:tap1274i0-IN - [0:0]
:tap1274i0-OUT - [0:0]
:tap1285i0-IN - [0:0]
:tap1285i0-OUT - [0:0]
:tap1287i0-IN - [0:0]
:tap1287i0-OUT - [0:0]
:tap1289i0-IN - [0:0]
:tap1289i0-OUT - [0:0]
:tap1291i0-IN - [0:0]
:tap1291i0-OUT - [0:0]
:tap1412i0-IN - [0:0]
:tap1412i0-OUT - [0:0]
:tap1413i0-IN - [0:0]
:tap1413i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1095i0 --physdev-is-bridged -j tap1095i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1271i0 --physdev-is-bridged -j tap1271i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1274i0 --physdev-is-bridged -j tap1274i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1285i0 --physdev-is-bridged -j tap1285i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1287i0 --physdev-is-bridged -j tap1287i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1289i0 --physdev-is-bridged -j tap1289i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1291i0 --physdev-is-bridged -j tap1291i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1412i0 --physdev-is-bridged -j tap1412i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap1413i0 --physdev-is-bridged -j tap1413i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:/mGtIQa2jfsqUDeM9ula54LTJq0"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1095i0 --physdev-is-bridged -j tap1095i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1271i0 --physdev-is-bridged -j tap1271i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1274i0 --physdev-is-bridged -j tap1274i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1285i0 --physdev-is-bridged -j tap1285i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1287i0 --physdev-is-bridged -j tap1287i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1289i0 --physdev-is-bridged -j tap1289i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1291i0 --physdev-is-bridged -j tap1291i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1412i0 --physdev-is-bridged -j tap1412i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap1413i0 --physdev-is-bridged -j tap1413i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:caovHazXMCiWGPGtsaNgF1wYG1I"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-myip-v4 dst -j RETURN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -s 192.168.22.202/32 -d 192.168.22.201/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.23.132/32 -d 192.168.23.131/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.22.203/32 -d 192.168.22.201/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.23.133/32 -d 192.168.23.131/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.22.204/32 -d 192.168.22.201/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.23.134/32 -d 192.168.23.131/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.22.205/32 -d 192.168.22.201/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.23.135/32 -d 192.168.23.131/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:l9Zou7vlDBnR/+cJ7idWMz1ewPM"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 192.168.22.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.22.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.22.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.22.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.22.201/32 -d 192.168.22.202/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.23.131/32 -d 192.168.23.132/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.22.201/32 -d 192.168.22.203/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.23.131/32 -d 192.168.23.133/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.22.201/32 -d 192.168.22.204/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.23.131/32 -d 192.168.23.134/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.22.201/32 -d 192.168.22.205/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.23.131/32 -d 192.168.23.135/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:Y3zRek1/lraRy1abbwVrIsY2Kmc"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"

COMMIT
# Completed on Sat Apr 13 09:11:55 2024

Is this anonymized by you or do you actually have 312 configured? Maximum is 255

This is the public ip address I set for the linux vlan for the promxox server so I modified it. It is working normally, can connect from the internet.
I want to set a rule for it to block connections from the internet. Only limited number of servers for it.
But currently I'm setting the firewall rule in the datacenter to drop input. But the proxmox server can still connect to the public ip of the above linux vlan.
Do I have to set manual rules for iptables?

Thanks for your support.
 
Capture.JPG

Hello, This is my configuration.

I create a linux vlan for vmbr0 bridge.
proxmox's firewall don't work with this vlan.
Has anyone encountered this situation?

Thank you!
 
But the proxmox server can still connect to the public ip of the above linux vlan.
Do I have to set manual rules for iptables?

So you are trying to reach the public IP from the same server where the IP is configured? How are you trying to reach it? Ping? SSH?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!