DROP not working on CT/VM

Lucian Lazar · Nov 12, 2019

Hi all, i have a strange problem and i am struggling to find a solution.
I am running pve-manager/5.4-13/aee6f0ec (running kernel: 4.15.18-21-pve)

On whatever CT/VM if i add a rule "DROP" or "REJECT" it does not work.
Example: IN DROP -source 165.227.165.224/32 -log nolog
The IP address 165.227.165.224 is still able to connect just fine. I have also tried to add this ip into the blacklist IPSet then adding drop all from ipset_name but same result.

CT firewall:

Bash:

[OPTIONS]

ipfilter: 1
log_level_in: nolog
radv: 0
macfilter: 1
enable: 1
ndp: 0
dhcp: 0

[RULES]
IN DROP -source 165.227.165.224/32 -log nolog


GROUP web

Host.fw on each node:

Bash:

[OPTIONS]
tcpflags: 1
ndp: 0
[RULES]
IN HTTP(ACCEPT) -log nolog
GROUP storage
GROUP proxmox

and cluster.fw:

Bash:

[OPTIONS]

ebtables: 1
enable: 1


[IPSET blacklist]

165.227.165.224

[IPSET constanta]

82.79.12.122

[IPSET milano]

109.168.54.64/28
78.6.25.208/29

[IPSET roma]

195.78.209.80/28

[IPSET storage]

192.168.150.0/24
192.168.152.0/24

[IPSET verizon]

185.70.116.0/22
185.70.117.0/24
195.78.209.87
212.177.183.128/27
212.4.14.192/28
212.4.14.206
212.4.22.0/28
212.4.24.64/26
212.4.7.112/28

[group proxmox]

IN SSH(ACCEPT) -source +storage -log nolog
IN ACCEPT -source +storage -p tcp -dport 8006 -log nolog
IN Ping(ACCEPT) -source +storage -log nolog
IN Ping(ACCEPT) -source +constanta -log nolog
IN ACCEPT -source +constanta -p tcp -dport 8006 -log nolog
IN SSH(ACCEPT) -source +constanta -log nolog
IN Ping(ACCEPT) -source +milano -log nolog
IN Ping(ACCEPT) -source +verizon -log nolog
IN SSH(ACCEPT) -source +verizon -log nolog
IN SSH(ACCEPT) -source +milano -log nolog
IN ACCEPT -source +verizon -p tcp -dport 8006 -log nolog
IN ACCEPT -source +milano -p tcp -dport 8006 -log nolog


[group storage]

IN Ping(ACCEPT) -source +storage -log nolog
IN Ceph(ACCEPT) -source +storage -log nolog

[group web]

IN DROP -source +blacklist -log nolog
IN Webmin(ACCEPT) -source +verizon -log nolog
IN Webmin(ACCEPT) -source +roma -log nolog
IN Webmin(ACCEPT) -source +milano -log nolog
IN Webmin(ACCEPT) -source +constanta -log nolog
IN ACCEPT -p tcp -dport 21 -log nolog
IN FTP(ACCEPT) -log nolog
IN HTTPS(ACCEPT) -log nolog
IN HTTP(ACCEPT) -log nolog
IN ACCEPT -p tcp -dport 30000:50000 -log nolog # FTP Passive

pve-firewall compile reports "no changes" and also there is no error. Tried also pve-firewall restart without any issue.
The firewall it filters correctly all open/closed ports but it does not block using DROP or REJECT rules.
What can i do?
Thank you!

Chris · Nov 13, 2019

Lucian Lazar said:
Hi all, i have a strange problem and i am struggling to find a solution.
I am running pve-manager/5.4-13/aee6f0ec (running kernel: 4.15.18-21-pve)

On whatever CT/VM if i add a rule "DROP" or "REJECT" it does not work.
Example: IN DROP -source 165.227.165.224/32 -log nolog
The IP address 165.227.165.224 is still able to connect just fine. I have also tried to add this ip into the blacklist IPSet then adding drop all from ipset_name but same result.

CT firewall:

Bash:

[OPTIONS] ipfilter: 1 log_level_in: nolog radv: 0 macfilter: 1 enable: 1 ndp: 0 dhcp: 0 [RULES] IN DROP -source 165.227.165.224/32 -log nolog GROUP web

Host.fw on each node:

Bash:

[OPTIONS] tcpflags: 1 ndp: 0 [RULES] IN HTTP(ACCEPT) -log nolog GROUP storage GROUP proxmox

and cluster.fw:

Bash:

[OPTIONS] ebtables: 1 enable: 1 [IPSET blacklist] 165.227.165.224 [IPSET constanta] 82.79.12.122 [IPSET milano] 109.168.54.64/28 78.6.25.208/29 [IPSET roma] 195.78.209.80/28 [IPSET storage] 192.168.150.0/24 192.168.152.0/24 [IPSET verizon] 185.70.116.0/22 185.70.117.0/24 195.78.209.87 212.177.183.128/27 212.4.14.192/28 212.4.14.206 212.4.22.0/28 212.4.24.64/26 212.4.7.112/28 [group proxmox] IN SSH(ACCEPT) -source +storage -log nolog IN ACCEPT -source +storage -p tcp -dport 8006 -log nolog IN Ping(ACCEPT) -source +storage -log nolog IN Ping(ACCEPT) -source +constanta -log nolog IN ACCEPT -source +constanta -p tcp -dport 8006 -log nolog IN SSH(ACCEPT) -source +constanta -log nolog IN Ping(ACCEPT) -source +milano -log nolog IN Ping(ACCEPT) -source +verizon -log nolog IN SSH(ACCEPT) -source +verizon -log nolog IN SSH(ACCEPT) -source +milano -log nolog IN ACCEPT -source +verizon -p tcp -dport 8006 -log nolog IN ACCEPT -source +milano -p tcp -dport 8006 -log nolog [group storage] IN Ping(ACCEPT) -source +storage -log nolog IN Ceph(ACCEPT) -source +storage -log nolog [group web] IN DROP -source +blacklist -log nolog IN Webmin(ACCEPT) -source +verizon -log nolog IN Webmin(ACCEPT) -source +roma -log nolog IN Webmin(ACCEPT) -source +milano -log nolog IN Webmin(ACCEPT) -source +constanta -log nolog IN ACCEPT -p tcp -dport 21 -log nolog IN FTP(ACCEPT) -log nolog IN HTTPS(ACCEPT) -log nolog IN HTTP(ACCEPT) -log nolog IN ACCEPT -p tcp -dport 30000:50000 -log nolog # FTP Passive

pve-firewall compile reports "no changes" and also there is no error. Tried also pve-firewall restart without any issue.
The firewall it filters correctly all open/closed ports but it does not block using DROP or REJECT rules.
What can i do?
Thank you!

Hi,
did you check that the firewall is enabled not only for the VM/CT but also for the corresponding NICs?
We allow fine grained control over which NICs are firewalled.
Please post the config for the corresponding VM, cat /etc/pve/local/qemu-server/<VMID>.conf executed on the corresponding node.

Lucian Lazar · Nov 13, 2019

Chris said:
Hi,
did you check that the firewall is enabled not only for the VM/CT but also for the corresponding NICs?
We allow fine grained control over which NICs are firewalled.
Please post the config for the corresponding VM, cat /etc/pve/local/qemu-server/<VMID>.conf executed on the corresponding node.

Thank you for your reply, yes, i made sure that the firewall flag is enabled under NIC in container network settings. I have double checked the following:

firewall is enabled cluster wide
firewall is enabled on the node this container sits
firewall is enabled on the container firewall options
firewall flag is checked under network settings.
pve-firewall status reports running and no warning/error
pve-firewall compile reports no pending changes
no other iptables script or software is running on either cluster nodes.

here is the container config:

Bash:

#Server WEB Gabel
arch: amd64
cores: 2
hostname: sthweb64.soteha.com
memory: 8192
net0: name=eth0,bridge=vmbr0,firewall=1,gw=185.70.117.1,hwaddr=16:E0:D4:38:1E:D3,ip=185.70.117.46/32,ip6=auto,tag=2002,type=veth
ostype: ubuntu
rootfs: ProxmoxCT_NL1:147/vm-147-disk-0.raw,size=250G
searchdomain: soteha.com
swap: 0

The weird thing is that firewall filters out correctly all requests to ports that are not allowed but simply ignores any rule starting with DROP or REJECT.
if i have on the container both 80 and 443 ports listening and i only enable in the firewall port 443, iptables filters correctly and does not alloe connections on port 80. However, if i want to add another rule that blocks all requests from a certain IP to port 443, does not work...
Any clues?
Thank you

Chris · Nov 13, 2019

Please check if the actual rule exists in the output of iptables-save.
You should get a rule that looks something like -A tap100i0-IN -s 165.227.165.224/32 -j DROP.
Also make sure there are no established connections, as conntrack will allow those.

jemico · Jun 10, 2020

I had the same problem on Proxmox 5.4 (firewall running, 4 levels activates, communication between containers on a internal bridge, added IN DROP on top of container rules, but still accessible).
pve-firewall compile didn't help

pve-firewall restart solved the problem and finally apply the DROP.

If that can help ...

Search

Search

DROP not working on CT/VM

Lucian Lazar

Member

Chris

Proxmox Staff Member

Lucian Lazar

Member

Chris

Proxmox Staff Member

jemico

Member