Firewall does not load the rules

L

lince

Member
Apr 10, 2015
78
3
8
Hello,

I have created some firewall rules for a container but I can not see them in iptables. Rules:

# cat /etc/pve/firewall/101.fw
[OPTIONS]

enable: 1

[RULES]

IN ACCEPT -p tcp -dport 22
IN DROP

# iptables -nvL
Chain INPUT (policy ACCEPT 55216 packets, 6154K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 48885 packets, 8279K bytes)
pkts bytes target prot opt in out source destination
Click to expand...

I tried restarting the firewall with "pve-firewall restart" and "/etc/init.d/pve-firewall restart" but nothing seems to work.

In the WebUI for the node and the container the "Enable Firewall" options is set to "Yes".

I never used the firewall in proxmox before. Am I missing a step to activate it ?

Thanks.
 
True, it has to be activated at datacenter level as well.

The firewall is up and running now but I have another issue. I want to block the traffic to some containers where I have public IPs and it doesn't work.

I discovered that the traffic to this containers in comming in trough FORWARD chain in iptables but when I create a new rule in proxmox it only allows me to chose direction in and out.

How can I block this traffic ?
 
The firewall is now enabled in datacenter, node and container.

I checked a bit further and it seems that the rules for the container are not being included in iptables. This is the rule:

upload_2016-10-8_11-39-44.png

But I can not see that rule in the node:

pve1# iptables -nvL | grep 8888
pve1#

And iptables in the container is also empty (after trying pct stop & start):

root@101:~# iptables -nvL
Chain INPUT (policy ACCEPT 4 packets, 148 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 7 packets, 316 bytes)
pkts bytes target prot opt in out source destination

The rules are shown in the config file:

# cat /etc/pve/firewall/101.fw
[OPTIONS]

enable: 1

[RULES]

IN DROP -p tcp -dport 8888
IN ACCEPT -p tcp -dport 22
IN DROP

Tried restarting the daemon several times with no luck:

service pve-firewall restart

Virtual Environment 4.3-1
 
I see that the firewall also has to be activated for the network card. I am surprised I have to activate the firewall in 4 different places to make it work.

It would be nice, if you could document how to activate the firewall in the wiki:

https://pve.proxmox.com/wiki/Firewall
 
lince said:
I discovered that the traffic to this containers in comming in trough FORWARD chain in iptables but when I create a new rule in proxmox it only allows me to chose direction in and out.
Click to expand...
in|out is the direction, not the iptable chain.
the iptable chain is FORWARD, in|out is the direction inside the bridge. (in pour inbound packets)
 
You must log in or register to reply here.
Top Bottom