[SOLVED] firewall iptables

[ibasaw]

hi,

if i start this script, i can't get internet inside my CT/VM, why ?

#!/bin/sh
# Firewall

/sbin/iptables -F

/sbin/iptables -X

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# ICMP (Ping)
/sbin/iptables -A INPUT -p icmp -j ACCEPT

# SSH
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# DNS
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT

# HTTP + HTTPS
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT

# Rsync
/sbin/iptables -A INPUT -p tcp --dport 873 -j ACCEPT

#############################################################
# PROXMOX
#############################################################
# Proxmox web panel
/sbin/iptables -A INPUT -p tcp --dport 8006 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 8006 -j ACCEPT

# console web gui
/sbin/iptables -A INPUT -p tcp --dport 5901 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5901 -j ACCEPT

#############################################################

Thanks for your help
bye

 

[thheo]

Because you reject FORWARDING with iptables -P FORWARD DROP
You should have something like iptables -A FORWARD -s vms_subnet -j ACCEPT and iptables -A FORWARD -d vms_subnet -j ACCEPT together with the drop policy
or just make the policy ACCEPT and do per VM firewall, or if you really want a firewall to protect VMs from the host perspective set up some proper
rules for forwarding ( maybe reject some known tcp/udp ports that you don't want to have them open from outside )

 

[ibasaw]

thank you, this is right; it works now !