Hi,
We've been looking into enabling firewall on our PVE.
A VM is running Windows serving Microsoft AlwaysOn IKEv2 to clients.
When firewall is enabled on the cluster, the clients are no longer able to authenticate, existing connections continues to function, until they disconnect.
As soon as it's disabled everything starts working again.
INPUT/OUTPUT policy is set to accept on the host, and firewall is disabled on the VM.
I've poked around in iptables, but haven't been able to figure out where the culprit is.
AFAIK everything is UDP encapsulated.
Any ideas on where the problem is?
//René
We've been looking into enabling firewall on our PVE.
A VM is running Windows serving Microsoft AlwaysOn IKEv2 to clients.
When firewall is enabled on the cluster, the clients are no longer able to authenticate, existing connections continues to function, until they disconnect.
As soon as it's disabled everything starts working again.
INPUT/OUTPUT policy is set to accept on the host, and firewall is disabled on the VM.
I've poked around in iptables, but haven't been able to figure out where the culprit is.
AFAIK everything is UDP encapsulated.
Code:
# iptables-save -c
# Generated by iptables-save v1.8.7 on Tue Sep 20 11:52:34 2022
*mangle
:PREROUTING ACCEPT [18415975:36425286494]
:INPUT ACCEPT [3121189:16031527824]
:FORWARD ACCEPT [4609443:12339749658]
:OUTPUT ACCEPT [3308441:12383625079]
:POSTROUTING ACCEPT [7917812:24723371857]
COMMIT
# Completed on Tue Sep 20 11:52:34 2022
# Generated by iptables-save v1.8.7 on Tue Sep 20 11:52:34 2022
*nat
:PREROUTING ACCEPT [109791:51641616]
:INPUT ACCEPT [118:11049]
:OUTPUT ACCEPT [557:73807]
:POSTROUTING ACCEPT [916:273295]
COMMIT
# Completed on Tue Sep 20 11:52:34 2022
# Generated by iptables-save v1.8.7 on Tue Sep 20 11:52:34 2022
*raw
:PREROUTING ACCEPT [1767003:9281095462]
:OUTPUT ACCEPT [134988:1076223305]
COMMIT
# Completed on Tue Sep 20 11:52:34 2022
# Generated by iptables-save v1.8.7 on Tue Sep 20 11:52:34 2022
*filter
:INPUT ACCEPT [44:2829]
:FORWARD ACCEPT [1902:1609779]
:OUTPUT ACCEPT [703:598450]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
[56775:353423696] -A INPUT -j PVEFW-INPUT
[697770:4266314834] -A FORWARD -j PVEFW-FORWARD
[0:0] -A OUTPUT -p udp -m udp --dport 4500 -j ACCEPT
[54559:766071874] -A OUTPUT -j PVEFW-OUTPUT
[0:0] -A PVEFW-Drop -j PVEFW-DropBroadcast
[0:0] -A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
[0:0] -A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
[0:0] -A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
[0:0] -A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
[0:0] -A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
[0:0] -A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
[0:0] -A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
[0:0] -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
[0:0] -A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
[0:0] -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
[0:0] -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
[0:0] -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
[0:0] -A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
[13:520] -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
[695929:4265962535] -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
[0:0] -A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
[1828:351779] -A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
[0:0] -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
[0:0] -A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0"
[0:0] -A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
[0:0] -A PVEFW-HOST-IN -i lo -j ACCEPT
[0:0] -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
[56731:353420867] -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[44:2829] -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
[0:0] -A PVEFW-HOST-IN -p igmp -j RETURN
[14:840] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
[0:0] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
[0:0] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
[25:1520] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
[0:0] -A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
[0:0] -A PVEFW-HOST-IN -s 10.23.130.21/32 -d 172.16.116.123/32 -p udp -m udp --dport 5404:5405 -j RETURN
[0:0] -A PVEFW-HOST-IN -s 172.20.130.71/32 -d 172.16.116.123/32 -p udp -m udp --dport 5404:5405 -j RETURN
[0:0] -A PVEFW-HOST-IN -s 172.20.130.72/32 -d 172.16.116.123/32 -p udp -m udp --dport 5404:5405 -j RETURN
[0:0] -A PVEFW-HOST-IN -s 172.20.130.73/32 -d 172.16.116.123/32 -p udp -m udp --dport 5404:5405 -j RETURN
[0:0] -A PVEFW-HOST-IN -s 172.16.116.124/32 -d 172.16.116.123/32 -p udp -m udp --dport 5404:5405 -j RETURN
[0:0] -A PVEFW-HOST-IN -s 172.16.116.128/32 -d 172.16.116.123/32 -p udp -m udp --dport 5404:5405 -j RETURN
[5:469] -A PVEFW-HOST-IN -j RETURN
[0:0] -A PVEFW-HOST-IN -m comment --comment "PVESIG:vDXmhZxYWc13M0im3nJmGKJMwrI"
[0:0] -A PVEFW-HOST-OUT -o lo -j ACCEPT
[0:0] -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
[53856:765473424] -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A PVEFW-HOST-OUT -p igmp -j RETURN
[0:0] -A PVEFW-HOST-OUT -d 172.16.116.0/24 -p tcp -m tcp --dport 8006 -j RETURN
[22:1320] -A PVEFW-HOST-OUT -d 172.16.116.0/24 -p tcp -m tcp --dport 22 -j RETURN
[0:0] -A PVEFW-HOST-OUT -d 172.16.116.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
[0:0] -A PVEFW-HOST-OUT -d 172.16.116.0/24 -p tcp -m tcp --dport 3128 -j RETURN
[1:108] -A PVEFW-HOST-OUT -s 172.16.116.123/32 -d 10.23.130.21/32 -p udp -m udp --dport 5404:5405 -j RETURN
[1:108] -A PVEFW-HOST-OUT -s 172.16.116.123/32 -d 172.20.130.71/32 -p udp -m udp --dport 5404:5405 -j RETURN
[1:108] -A PVEFW-HOST-OUT -s 172.16.116.123/32 -d 172.20.130.72/32 -p udp -m udp --dport 5404:5405 -j RETURN
[1:108] -A PVEFW-HOST-OUT -s 172.16.116.123/32 -d 172.20.130.73/32 -p udp -m udp --dport 5404:5405 -j RETURN
[1:108] -A PVEFW-HOST-OUT -s 172.16.116.123/32 -d 172.16.116.124/32 -p udp -m udp --dport 5404:5405 -j RETURN
[1:108] -A PVEFW-HOST-OUT -s 172.16.116.123/32 -d 172.16.116.128/32 -p udp -m udp --dport 5404:5405 -j RETURN
[675:596482] -A PVEFW-HOST-OUT -j RETURN
[0:0] -A PVEFW-HOST-OUT -m comment --comment "PVESIG:V+dDKl35udN5PJDzVU7Jf2WRJis"
[56775:353423696] -A PVEFW-INPUT -j PVEFW-HOST-IN
[44:2829] -A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
[54559:766071874] -A PVEFW-OUTPUT -j PVEFW-HOST-OUT
[703:598450] -A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
[0:0] -A PVEFW-Reject -j PVEFW-DropBroadcast
[0:0] -A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
[0:0] -A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
[0:0] -A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
[0:0] -A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
[0:0] -A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
[0:0] -A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
[0:0] -A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
[0:0] -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
[0:0] -A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
[0:0] -A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
[0:0] -A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
[0:0] -A PVEFW-logflags -j DROP
[0:0] -A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
[0:0] -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A PVEFW-reject -s 224.0.0.0/4 -j DROP
[0:0] -A PVEFW-reject -p icmp -j DROP
[0:0] -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
[0:0] -A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
[0:0] -A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
[0:0] -A PVEFW-smurflog -j DROP
[0:0] -A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
[0:0] -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
[0:0] -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
[0:0] -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
[44:2829] -A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
[0:0] -A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Tue Sep 20 11:52:34 2022
Code:
#AlwaysON VPN
agent: 1,fstrim_cloned_disks=1
bios: ovmf
boot: order=sata0;ide2
cores: 2
cpu: host
efidisk0: LocalStorage:vm-1128-disk-1,efitype=4m,pre-enrolled-keys=1,size=1M
ide2: none,media=cdrom
machine: q35
memory: 4096
name: X18
net0: virtio=32:69:E9:EC:AB:EF,bridge=vmbr0,tag=903
net1: virtio=7E:50:DD:5A:8B:9B,bridge=vmbr0,tag=902
net2: virtio=EE:30:6E:45:42:04,bridge=vmbr0,tag=900
numa: 0
onboot: 1
ostype: win10
sata0: LocalStorage:vm-1128-disk-0,aio=threads,discard=on,size=40G,ssd=1
scsihw: megasas
smbios1: uuid=589e75c1-282d-4cee-ba95-9fefe854f20f
sockets: 1
vmgenid: 4569289c-e2b6-45a6-b76b-1cb1f7e1afab
Code:
auto bond0
iface bond0 inet manual
bond-slaves eno1 eno3
bond-miimon 100
bond-mode active-backup
bond-primary eno1
auto bond1
iface bond1 inet manual
bond-slaves eno2 eno4
bond-miimon 100
bond-mode balance-tlb
auto vmbr0
iface vmbr0 inet static
address 172.16.116.123/24
gateway 172.16.116.1
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094Any ideas on where the problem is?
//René
