[SOLVED] Firewall blocks connection to proxmox http port 8006 (web-gui), all other connections are ok

[titango45]

I use a cloud on internet running proxmox and want to filter some connections for connecting and others for not connecting vms. Typical plan for firewall. Now I got some rules running including nat from inside to outside, pre-nat for vpn outside to inside and some others for dhcp function.

But since one of last update I can connect to host via terminal ssh, but not via web-gui http port 8006 Was a big surprise because on the one hand I don't directly allow ssh and it works and on the other hand I directly allow http port 8006 and it blocks :O

Following rules are active.

if [[ ! "$PATH" = *"$HOME/bin"* ]]; then
. ./.profile
fi
# reset all rules via other script
firewall_reset
###
iface_inet="vmbr_inet"
iface_inet_local="vmbr_inet2"
ip_inet="a.b.c.d"
ip_inet_local="192.168.10.1"
host=$ip_inet
vm_test_ip=192.168.10.8
vm_vpn_ip=192.168.10.254
vm_ftp_ip=192.168.10.9
###
# allow internet connection for network 192.168.10.0 (with nat)
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $iface_inet -j MASQUERADE
###
# allow some connections from one network to another
iptables -A FORWARD -i vmbr_inet2 -o vmbr_inet -j ACCEPT
iptables -A FORWARD -i vmbr_inet -o vmbr_inet2 -j ACCEPT
iptables -A FORWARD -i vmbr_srv -o vmbr_inet2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vmbr_clnts -o vmbr_inet2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vmbr_srv -o vmbr_inet2 -m state --state NEW -j DROP
iptables -A FORWARD -i vmbr_clnts -o vmbr_inet2 -m state --state NEW -j DROP
iptables -A FORWARD -i vmbr_inet2 -o vmbr_srv -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i vmbr_inet2 -o vmbr_clnts -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
###
### forward vpn internet -> local
iptables -t nat -A POSTROUTING -s $ip_inet -o $vm_vpn_ip -j MASQUERADE
###
# forward some connection from internet to intern like ssh and ftp
for port_ in 11111 8006 2222 3333 10000 4444 1194 5555; do
###
iptables -A INPUT -i $iface_inet -p tcp --dport $port_ -j ACCEPT
iptables -I OUTPUT -p tcp --sport $port_ -j ACCEPT
###
# 11111 -> host:ssh *** test
if [[ "$port_" -eq 1111 ]]; then
echo "$iface_inet:$port_ -> $host:ssh"
iptables -A FORWARD -p tcp -i $iface_inet -d $host --dport $port_ -j ACCEPT
###
# 8006 -> host:http *** test
elif [[ "$port_" -eq 8006 ]]; then
echo "$iface_inet:$port_ -> $host:http"
iptables -A FORWARD -p tcp -i $iface_inet -d $host --dport $port_ -j ACCEPT
###
# 2222 -> ftp:20
elif [[ "$port_" -eq 2222 ]]; then
echo "$iface_inet:$port_ -> $vm_ftp_ip:21"
iptables -t nat -A PREROUTING -p tcp -i $iface_inet --dport $port_ -j DNAT --to- destination $vm_ftp_ip:21
iptables -A FORWARD -p tcp -i $iface_inet -o $iface_inet_local -d $vm_ftp_ip --dport 21 -j ACCEPT
###
# 3333 -> ftp:20
elif [[ "$port_" -eq 3333 ]]; then
echo "$iface_inet:$port_ -> $vm_ftp_ip:20"
iptables -t nat -A PREROUTING -p tcp -i $iface_inet --dport $port_ -j DNAT --to- destination $vm_ftp_ip:20
iptables -A FORWARD -p tcp -i $iface_inet -o $iface_inet_local -d $vm_ftp_ip -- dport 20 -j ACCEPT
###
# 10000: -> ftp:10000
elif [[ "$port_" -eq 10000 ]]; then
echo "$iface_inet:$port_ -> $vm_ftp_ip:..."
iptables -t nat -A PREROUTING -p tcp -i $iface_inet --dport $port_:10010 -j DNAT -- to-destination $vm_ftp_ip
iptables -A FORWARD -p tcp -i $iface_inet -o $iface_inet_local -d $vm_ftp_ip -- dport 10000:10010 -j ACCEPT
###
# 4444 -> ftp:22
elif [[ "$port_" -eq 4444 ]]; then
echo "$iface_inet:$port_ -> $vm_ftp_ip:22"
iptables -t nat -A PREROUTING -p tcp -i $iface_inet --dport $port_:10010 -j DNAT -- to-destination $vm_ftp_ip:22
iptables -A FORWARD -p tcp -i $iface_inet -o $iface_inet_local -d $vm_ftp_ip -- dport 22 -j ACCEPT
###
# 5555 -> test:22
elif [[ "$port_" -eq 5555 ]]; then
echo "$iface_inet:$port_ -> $vm_test_ip:22"
iptables -t nat -A PREROUTING -p tcp -i $iface_inet --dport $port_ -j DNAT --to- destination $vm_test_ip:22
iptables -A FORWARD -p tcp -i $iface_inet -o $iface_inet_local -d $vm_test_ip -- dport 22 -j ACCEPT
###
# 1194 -> vpn:1194
elif [[ "$port_" -eq 1194 ]]; then
echo "$iface_inet:$port_ -> $vm_vpn_ip:$port_"
iptables -t nat -A PREROUTING -p udp -i $iface_inet --dport $port_ -j DNAT --to- destination $vm_vpn_ip:$port_
iptables -A FORWARD -p udp -i $iface_inet -o $iface_inet_local -d $vm_vpn_ip -- dport 1194 -j ACCEPT
fi
###
done
###
iptables -t nat -A POSTROUTING -d $vm_vpn_ip -j SNAT --to-source $ip_inet_local
iptables -t nat -A POSTROUTING -d $vm_test_ip -j SNAT --to-source $ip_inet_local
iptables -t nat -A POSTROUTING -d $vm_ftp_ip -j SNAT --to-source $ip_inet_local
###
iptables-save > /etc/iptables/rules.v4

I think that this issue is better placed here than on superuser.com. This is original post.

Is some one willing to find the wrong rule for blocking http? Thanks for some hints

 

[_gabriel]

Don't forget : 8006 port is httpS not plain http

 

[titango45]

Thx4answer. How is that important to firewall and connection issue?

 

[titango45]

Found it.
The rule for port 4444 uses port-forwarding to port range 4444 -> 10000 including 8006. Thats wrong, error by copy-paste
Working now.