Firewall does not load the rules

L

lince

Member
Apr 10, 2015
78
3
8
Hello,

I have created some firewall rules for a container but I can not see them in iptables. Rules:

# cat /etc/pve/firewall/101.fw
[OPTIONS]

enable: 1

[RULES]

IN ACCEPT -p tcp -dport 22
IN DROP

# iptables -nvL
Chain INPUT (policy ACCEPT 55216 packets, 6154K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 48885 packets, 8279K bytes)
pkts bytes target prot opt in out source destination
Click to expand...

I tried restarting the firewall with "pve-firewall restart" and "/etc/init.d/pve-firewall restart" but nothing seems to work.

In the WebUI for the node and the container the "Enable Firewall" options is set to "Yes".

I never used the firewall in proxmox before. Am I missing a step to activate it ?

Thanks.
 
True, it has to be activated at datacenter level as well.

The firewall is up and running now but I have another issue. I want to block the traffic to some containers where I have public IPs and it doesn't work.

I discovered that the traffic to this containers in comming in trough FORWARD chain in iptables but when I create a new rule in proxmox it only allows me to chose direction in and out.

How can I block this traffic ?
 
The firewall is now enabled in datacenter, node and container.

I checked a bit further and it seems that the rules for the container are not being included in iptables. This is the rule:

upload_2016-10-8_11-39-44.png

But I can not see that rule in the node:

pve1# iptables -nvL | grep 8888
pve1#

And iptables in the container is also empty (after trying pct stop & start):

root@101:~# iptables -nvL
Chain INPUT (policy ACCEPT 4 packets, 148 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 7 packets, 316 bytes)
pkts bytes target prot opt in out source destination

The rules are shown in the config file:

# cat /etc/pve/firewall/101.fw
[OPTIONS]

enable: 1

[RULES]

IN DROP -p tcp -dport 8888
IN ACCEPT -p tcp -dport 22
IN DROP

Tried restarting the daemon several times with no luck:

service pve-firewall restart

Virtual Environment 4.3-1
 
I see that the firewall also has to be activated for the network card. I am surprised I have to activate the firewall in 4 different places to make it work.

It would be nice, if you could document how to activate the firewall in the wiki:

https://pve.proxmox.com/wiki/Firewall
 
lince said:
I discovered that the traffic to this containers in comming in trough FORWARD chain in iptables but when I create a new rule in proxmox it only allows me to chose direction in and out.
Click to expand...
in|out is the direction, not the iptable chain.
the iptable chain is FORWARD, in|out is the direction inside the bridge. (in pour inbound packets)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back