enabled UFW, allowed rules - Nothign accesable anymore

W

webass

Active Member
May 14, 2015
33
0
26
Hi,
after I enabled iptables over UFW and set up a very short rule set with some ports open, but SSH and the port 8006 for using proxmox frontend in every case, my colleague started to do any stuff when I was away and probably thought he broke anything and made a system restart.

The proxmox is running on an ubuntu as base.

The restart closed us completely out.

I have to go over a Lara console on hetzner to enter the machine again.
And I really thought he deleted anyhow the whole machine, which would not have explained why I cannot enter the ubuntu anymore.

So, when inside I disabled the firewall with ufw disable and everythign was running.

I assume that this is not going to be as easy as I thought it would be.

But how did it happen, that I couldnt enter the Ubuntu anymore?
What is the best firewall option and tutorial to set it up in this environment with Windows runing on KVMs in the proxmox?

Thx in advance.
Andre
 
webass said:
Hi,
after I enabled iptables over UFW and set up a very short rule set with some ports open, but SSH and the port 8006 for using proxmox frontend in every case, my colleague started to do any stuff when I was away and probably thought he broke anything and made a system restart.

The proxmox is running on an ubuntu as base....
Click to expand...

Proxmox VE on Ubuntu? Proxmox VE is based on Debian, Ubuntu never works.
 
tom said:
Proxmox VE on Ubuntu? Proxmox VE is based on Debian, Ubuntu never works.
Click to expand...

Ok, I am sorry.
then its debian.
Just because I used to work the last time with ubuntu--

Now... everything is standard... just how to make it?
My iniital question please, can it be answered ?
 
tomstephens89 said:
Pretty sure Proxmox doesn't incorporate support for UFW. Only native IPTables which can now be done via the GUI anyway.
Click to expand...

The idea I had was, that the debian with proxmox should itself be secured.

Is it going to be more layers? firewall for the proxmox on debian and the KVMs?

Or the proxmox panel gets a second firewall and the KVMs just utilize them (through the GUI)?
 
webass said:
The idea I had was, that the debian with proxmox should itself be secured.

Is it going to be more layers? firewall for the proxmox on debian and the KVMs?

Or the proxmox panel gets a second firewall and the KVMs just utilize them (through the GUI)?
Click to expand...

Proxmox / Debian itself is secured using the standard de-facto IPTables firewall which in turn can also firewall the virtual ports which the VM's create on the bridges you use. Thus allowing a single firewall on the proxmox host to serve as protection for both the host and the VM's which bridge onto its NIC's as well.

Although IPTables isn't that difficult, the Proxmox GUI provides a pain free method of managing the host firewall. Each VM can of course make use of its own firewall as well as the proxmox host IPTables.
 
Perfect.
So the fiewall setting I find in Datacenter are global and the GUI acts as a substitue/ alternative for tools like UFW or APF in securing the whole host? Right?
And if I want to have clients run Windows in KVM, I use a VM Firewall on panel and addtionally the guest firewall can be used... Just as the whole picture implements.
Right?

This sounds neat.
 
webass said:
Perfect.
So the fiewall setting I find in Datacenter are global and the GUI acts as a substitue/ alternative for tools like UFW or APF in securing the whole host? Right?
And if I want to have clients run Windows in KVM, I use a VM Firewall on panel and addtionally the guest firewall can be used... Just as the whole picture implements.
Right?

This sounds neat.
Click to expand...

Yes that is correct. The proxmox firewall found under datacenter applies to all hosts. You can also configure it at a host level and on individual VM level. All it is is a GUI front end for IPTables.

You are also able to use the guest firewall within VM's as well.

On one of my large deployments for example I use the DC level firewall to control access to the hosts in my cluster. I then configure the proxmox firewall for each VM to control access to that individual vm. This is idea for example if you are running a hosted multi-tenanted environment and want to restrict visibility of the local subnet/other machines on it by not using the guest firewall which can be changed by the user. Allows you to lock VM's network access down on a per VM level and without the actual VM users being able to change stuff.
 
This is great.

I want to test it on Virtual box before I set it to a running live server...

BTW, I often heard the words public in this relevance... Which means, when I have real VPS business going on and use linux servers to run as guest on which people then set up websites and shops and stuff, then it is very public, cause the IPs have to be used for public reach and so...
But when I use a host to run some VMs in KVM Windows to use it as an "online office", this is not so far public, only when people can visit websites where others see their IP or when they anyhow else go out to the internet and expose the IP, while emailing or whatever...
But also only when we have set a public IP per KVM right?
Else only the host IP is seen, which proxmox runs on... Right?

And these windows KVMS are not as much under attack as websites, arent they? From the nature of things, or are they (of course have to be secured) ??
 
Trying to ask if KVM with Windows running is less under attack than websites that run on a linux VPS with apache...
or also when one is using KVM with Win Server and the website runs publicly...
Gerneally... If a website is more under attack than a login form to a Windows machine, like Win 7 on a KVM???
 
Anything with a public address is subject to attack. It doesn't matter what hypervisor the VM is running on or if it is running on physical hardware.

I would trust a website running under Linux moreso than windows.
 
So, a windows machin running on a KVM in proxmox (to name it all now) is as much under attack as a normal website cause the hosts IP is public?
 
Why wouldn't it be? Why would the fact that it's a VM change anything? If you have a public service hosted on a public IP, it is at risk. Period.
 
Ok, thanks for clearing it up. Dunno really why I came to this conclusion. Maybe cause I thought it would only be login form hacking possible on the windows login. On websites there are much more ways of possible attacking I thought... this is where I came from...
 
One more stupid idea:
But the console noVNC inside of the proxmox is not necessarily a RDP connection... not?
I mean maybe not at all.
So, If a client only gets the abaility to enter over his user login into proxmox and from there into the machine over the consoles in proxmox, does it make it slightly more secure ?
 
webass said:
One more stupid idea:
But the console noVNC inside of the proxmox is not necessarily a RDP connection... not?
I mean maybe not at all.
So, If a client only gets the abaility to enter over his user login into proxmox and from there into the machine over the consoles in proxmox, does it make it slightly more secure ?
Click to expand...

That is not an rdp connection.

Since the entry point is proxmox and not a direct connection to the console, it is more secure than opening up an rdp service to the web.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back