[SOLVED] Firewall configuration stops working after rebooting the VM

C

Ciprian Tomoiaga

Member
Aug 16, 2019
10
1
23
31
Hi everyone,

I'm facing a weird trouble with the Firewall configuration. Maybe I missed something in the documentation? It seems quite intermittent
I believe that the firewall modifies the rules of the VM's iptables in a non-intuitive way (to me), i.e. not always.

Can you please advise when the firewall options inject rules into VM's iptables, and when do these rules remain local on the host ?

---

I am trying to limit the access to a VM as follows:
  • a specific set of IPs called interns can SSH and have connections on a range of ports (for now, all of them; I'll restrict later)
  • another set of IPs called staff can SSH into the machine. This group should be able to ssh into any VM
So, I do the following from the Proxmox web interface:
  • I enabled the firewall in all 4 locations (datacenter, host, VM and VM network card). I set the Input policy to REJECT and Output to ACCEPT (for the datacenter). Restart the VM for the NIC changes to take place.
  • On the datacenter:
    • I add an IPSet called staff, where I add my static IP.
    • I create a security group called admin-access, where I add a rule to ACCEPT SSH from +staff. I intend to add this security group to all VMs later.
  • On the VM (still in the web GUI):
    • I set Input policy to REJECT.
    • IPFilter is No, MAC Filter is Yes (though I don't see where to set the MACs?).
    • I add an IPSet called interns (so far empty).
    • In the Firewall options:
      • I Insert: Security group and select the admin-access from the options
      • Add ACCEPT +interns on tcp protocol (no ports specified)
So, here the intermittent problem arises:
  • in the VM, iptables -S sometimes gives almost empty output (except for some rules of Docker)
  • if I restart the VM, the output of iptables -S includes multiple tables, like FORWARD_IN_Zones
  • if I disable some of the firewalls (datacenter, VM) and I reboot the VM (sudo reboot), the iptables output is clean again. But NOT always ! :(
  • so sometimes I get extra rules in iptables -S output, sometimes not. I feel it depends on the selection of Enabled switches, but I cannot tell exactly which changes influence it.
When I do modifications in the GUI, the changes are correctly reflected in the config files of the host, and pve-firewall compile also gives sensible output. But I do not understand when does Proxmox push changes for `iptables` to the VM. And when not (because sometimes it seems to not push them, even if I disable the firewall).

In any case, with the modifications I listed above, I cannot SSH into the machine, as it times out; the connections are dropped, even though I've set it to reject. At some point, when the changes were correctly listed in `pve-firewall compile` and the output of the `iptables -S` on the VM was clean, the above options worked as desired, namely only my IP could ssh in.
 
Ciprian Tomoiaga said:
in the VM, iptables -S sometimes gives almost empty output (except for some rules of Docker)
Click to expand...

No, PVE does not (and can not) push changes to the VM's iptables. All iptable rules are applied to the host - i.e., the rules you see when you run pve-firewall compile are applied to the PVE node, and will be visible when you run 'iptables' on it. The VM does not know anything about firewall rules, it's network stack is isolated from PVE.

Ciprian Tomoiaga said:
IPFilter is No, MAC Filter is Yes (though I don't see where to set the MACs?).
Click to expand...

Keeping the above in mind, it should become clear that the MAC address referred to here is simply the guest's, meaning that it restricts the guest from changing it's own MAC address (to prevent a malicious VM from spoofing itself as a different device).

Ciprian Tomoiaga said:
In any case, with the modifications I listed above, I cannot SSH into the machine, as it times out
Click to expand...

I found your explanation of the steps you took a bit confusing to follow, could you maybe just post the output of running pve-firewall compile? Then I could probably tell you more.
 
Hi Stefan,

Thank you for your answer!
Since you confirmed that proxmox can not push the changes to VM's iptables, I went in depth to search where those rules came from. It turns out I had both ufw and firewalld installed, and with different configurations. This made it so that sometimes I had restricted rules, sometimes not. That was a fun ride to find the culprit.

Thanks for the insight! I imagined that somehow, via the config, the proxmox host can tell the VM how to configure its network, maybe via cloud-init. I'm glad this is not the case !

So, Problem solved. Thank you!
 
You must log in or register to reply here.
Top Bottom