Firewall not working as Expected

[rackdie]

I have enabled Firewall on Datacenter, Node and VM level but it doesnt work fully. I disabled outgoing port 25 on my IP as shown in screenshot below but on port checker online it shows port 25 as open. I cant telnet into it still it shows open. I have enabled incoming macro mail in order for my clients to setup mail servers if they want. What could be the issue?
On the other hand whenever i enable a certain port for a VM that shows as closed in port checker online even after enabling incoming for it
Any help will be appreciated for both issues

 

[floh8]

there are two directions input and output. you have to create a input rule for that.

 

[rackdie]

there are two directions input and output. you have to create a input rule for that.

I want to allow incoming connections so people can receive mails but drop outgoing to not let any one send mail. I created incoming accept rule for vm level already. Can you guide me more about it please?

 

[floh8]

then is your check wrong. you only need to check if u can send email. if not then the firewall work.

 

[rackdie]

then is your check wrong. you only need to check if u can send email. if not then the firewall work.

The problem is i can still send mails even after blocking outgoing port 25,465,2525,587 so there's no chance to send out an email, but it still is sending mails. Any macro approach to make a stop to it completely?

 

[floh8]

Do you have enable the network device of the mail vm?

 

[rackdie]

Do you have enable the network device of the mail vm?

Yes i have enabled firewall from network option for the vm too

 

[floh8]

show output from the vm with

#telnet smtp.web.de 25

 

[rackdie]

show output from the vm with

#telnet smtp.web.de 25

I just checked it now, when i try to use telnet from my vm with my ip it gives me successful output to port 25 which is very abnormal since i blocked the outgoing port 25 already

 

[spirit]

is the firewall checkbox enable on the vm nic ?

also, is the firewall option enable at datacenter level ?

 

[rackdie]

is the firewall checkbox enable on the vm nic ?

also, is the firewall option enable at datacenter level ?

Yes its enabled at all 3 levels vm, datacenter and node level. But it still doesn't work. Your help will be appreciated

 

[spirit]

Yes its enabled at all 3 levels vm, datacenter and node level. But it still doesn't work. Your help will be appreciated

and checkbox is correctly enable on vm nic too ?

can you send the result of

#iptables-save

of your node where the vm is running ?

 

[rackdie]

and checkbox is correctly enable on vm nic too ?

can you send the result of

#iptables-save

of your node where the vm is running ?

Here is the result of iptables and yes checkbox is enabled

-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A GROUP-firewallrules-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-firewallrules-IN -p tcp -m tcp --dport 26 -j DROP
-A GROUP-firewallrules-IN -p tcp -m tcp --dport 2525 -j DROP
-A GROUP-firewallrules-IN -p tcp -m tcp --dport 443 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-firewallrules-IN -p tcp -m tcp --dport 80 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-firewallrules-IN -p tcp -m tcp --dport 143 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-firewallrules-IN -p tcp -m tcp --dport 25 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-firewallrules-IN -p tcp -m tcp --dport 143 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-firewallrules-IN -p tcp -m tcp --dport 3306 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-firewallrules-IN -p tcp -m tcp --dport 3389 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-firewallrules-IN -m comment --comment "PVESIG:kwqVKNpG3qtPkz05K8g8Wph+jNk"
-A GROUP-firewallrules-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-firewallrules-OUT -p tcp -m tcp --dport 25 -j DROP
-A GROUP-firewallrules-OUT -p tcp -m tcp --dport 587 -j DROP
-A GROUP-firewallrules-OUT -p tcp -m tcp --dport 2525 -j DROP
-A GROUP-firewallrules-OUT -p tcp -m tcp --dport 465 -j DROP
-A GROUP-firewallrules-OUT -p tcp -m tcp --dport 26 -j DROP
-A GROUP-firewallrules-OUT -p tcp -m tcp --dport 25 -j DROP
-A GROUP-firewallrules-OUT -p tcp -m tcp --dport 465 -j DROP
-A GROUP-firewallrules-OUT -p tcp -m tcp --dport 587 -j DROP
-A GROUP-firewallrules-OUT -m comment --comment "PVESIG:fSxOYjCTKqR/8tW3mhpRdcAz+t4"
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast

-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 25 -j DROP
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 587 -j DROP
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 465 -j DROP
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 2525 -j DROP
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 26 -j DROP
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 25 -j DROP
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 26 -j DROP
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 2525 -j DROP
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 587 -j DROP
-A PVEFW-HOST-OUT -o vmbr0 -p tcp -m tcp --dport 465 -j DROP
-A PVEFW-HOST-OUT -d 204.12.231.144/29 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 204.12.231.144/29 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 204.12.231.144/29 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 204.12.231.144/29 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:fy+g+PaGXhXZAL/vwMFwAmAni+w"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap1001i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1001i0-IN -j GROUP-firewallrules-IN
-A tap1001i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap1001i0-IN -j PVEFW-Drop
-A tap1001i0-IN -j DROP
-A tap1001i0-IN -m comment --comment "PVESIG:SPrJ+kO2JLex7wVrvhbYT3P08F4"
-A tap1001i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1001i0-OUT -m mac ! --mac-source 00:16:3E:6F:44:B3 -j DROP
-A tap1001i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap1001i0-OUT -j GROUP-firewallrules-OUT
-A tap1001i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap1001i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1001i0-OUT -m comment --comment "PVESIG:YNssiiXqnQAUarj4vjL3n7OnKjU"
-A tap1002i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1002i0-IN -j GROUP-firewallrules-IN
-A tap1002i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap1002i0-IN -j PVEFW-Drop
-A tap1002i0-IN -j DROP
-A tap1002i0-IN -m comment --comment "PVESIG:EySKt5yYABnPxUPRAr7GeTF5W0w"
-A tap1002i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1002i0-OUT -m mac ! --mac-source 00:16:3E:9F:8C:66 -j DROP
-A tap1002i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap1002i0-OUT -j GROUP-firewallrules-OUT
-A tap1002i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap1002i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1002i0-OUT -m comment --comment "PVESIG:0GJiLe4u6mmWVzOK3DYNvMTXu5Q"
-A tap1004i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1004i0-IN -j GROUP-firewallrules-IN
-A tap1004i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap1004i0-IN -j PVEFW-Drop
-A tap1004i0-IN -j DROP
-A tap1004i0-IN -m comment --comment "PVESIG:nbp4nLO2eAANLYLSolafNLEJonY"
-A tap1004i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1004i0-OUT -m mac ! --mac-source 00:16:3E:34:94:6C -j DROP
-A tap1004i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap1004i0-OUT -j GROUP-firewallrules-OUT
-A tap1004i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap1004i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1004i0-OUT -m comment --comment "PVESIG:AcOe6zv8l9rk6jMcxEheokcssc8"
-A tap1005i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1005i0-IN -j GROUP-firewallrules-IN
-A tap1005i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap1005i0-IN -j PVEFW-Drop
-A tap1005i0-IN -j DROP
-A tap1005i0-IN -m comment --comment "PVESIG:xDdBz6Ogxk0GvymTH6gBuJJJpK0"
-A tap1005i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1005i0-OUT -m mac ! --mac-source 00:16:3E:90:1E:13 -j DROP
-A tap1005i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap1005i0-OUT -j GROUP-firewallrules-OUT
-A tap1005i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap1005i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1005i0-OUT -m comment --comment "PVESIG:E9+I79LeNsB+zOTMh2UFgA6B0U0"
-A tap1006i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1006i0-IN -j GROUP-firewallrules-IN
-A tap1006i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap1006i0-IN -j PVEFW-Drop
-A tap1006i0-IN -j DROP
-A tap1006i0-IN -m comment --comment "PVESIG:+XBfu1j/L9PZxQnh5s6AvU6dEoE"
-A tap1006i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1006i0-OUT -m mac ! --mac-source 00:16:3E:F4:86:58 -j DROP
-A tap1006i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap1006i0-OUT -j GROUP-firewallrules-OUT
-A tap1006i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap1006i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1006i0-OUT -m comment --comment "PVESIG:1NOG8Cg80sSzULHNwAEdEOlqVOU"
-A tap1007i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1007i0-IN -j GROUP-firewallrules-IN
-A tap1007i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap1007i0-IN -j PVEFW-Drop
-A tap1007i0-IN -j DROP
-A tap1007i0-IN -m comment --comment "PVESIG:c46gy5dVTocK32L0ps9+X/7zvVY"
-A tap1007i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1007i0-OUT -m mac ! --mac-source 00:16:3E:C5:AC:6B -j DROP
-A tap1007i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap1007i0-OUT -j GROUP-firewallrules-OUT
-A tap1007i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap1007i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1007i0-OUT -m comment --comment "PVESIG:i4bkTPof3gYX1R9DnJeZXT2Uyug"
-A tap1008i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1008i0-IN -j GROUP-firewallrules-IN
-A tap1008i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap1008i0-IN -j PVEFW-Drop
-A tap1008i0-IN -j DROP
-A tap1008i0-IN -m comment --comment "PVESIG:mXgPTLnFCN0C2KXKaHOarBf/ZO4"
-A tap1008i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1008i0-OUT -m mac ! --mac-source 00:16:3E:07:34:A9 -j DROP
-A tap1008i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap1008i0-OUT -j GROUP-firewallrules-OUT
-A tap1008i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap1008i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1008i0-OUT -m comment --comment "PVESIG:NFSAGdEpT+STBgeLs+hVrW1Lwyc"
-A tap1009i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap1009i0-IN -j GROUP-firewallrules-IN
-A tap1009i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap1009i0-IN -j PVEFW-Drop
-A tap1009i0-IN -j DROP
-A tap1009i0-IN -m comment --comment "PVESIG:HGhGkIE3Uvw8m4U7Y6oR1+/TKNQ"
-A tap1009i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap1009i0-OUT -m mac ! --mac-source 00:16:3E:182:9D -j DROP
-A tap1009i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap1009i0-OUT -j GROUP-firewallrules-OUT
-A tap1009i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap1009i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap1009i0-OUT -m comment --comment "PVESIG:MDgUUBY8E7LrYUibIFZd0IxmZu8"
-A tap104i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap104i0-IN -j GROUP-firewallrules-IN
-A tap104i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap104i0-IN -j PVEFW-Drop
-A tap104i0-IN -j DROP
-A tap104i0-IN -m comment --comment "PVESIG:x+CS9zC7RD0WVKk7mnk19ioe9no"
-A tap104i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap104i0-OUT -m mac ! --mac-source 7A:FD:3D:7E:F7:46 -j DROP
-A tap104i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap104i0-OUT -j GROUP-firewallrules-OUT
-A tap104i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap104i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap104i0-OUT -m comment --comment "PVESIG:sXQHPAP7VHhggrAXuL/uKa1KtyM"
-A tap105i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap105i0-IN -j GROUP-firewallrules-IN
-A tap105i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap105i0-IN -j PVEFW-Drop
-A tap105i0-IN -j DROP
-A tap105i0-IN -m comment --comment "PVESIG:FquqH8f+NeqZW9wkZRADofSazHI"
-A tap105i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap105i0-OUT -m mac ! --mac-source F6:1E:71:4F:8D:C8 -j DROP
-A tap105i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap105i0-OUT -j GROUP-firewallrules-OUT
-A tap105i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap105i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap105i0-OUT -m comment --comment "PVESIG:rIYbKsLTPHgU1c3RA0JfYVDn/Fk"
-A tap112i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap112i0-IN -j GROUP-firewallrules-IN
-A tap112i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap112i0-IN -j PVEFW-Drop
-A tap112i0-IN -j DROP
-A tap112i0-IN -m comment --comment "PVESIG:cCJ6uZu0XBnJqTSy66tfO1Zyarw"
-A tap112i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap112i0-OUT -m mac ! --mac-source 66:AD:3F3:E0:3C -j DROP
-A tap112i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap112i0-OUT -j GROUP-firewallrules-OUT
-A tap112i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap112i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap112i0-OUT -m comment --comment "PVESIG:lWvLZAtsyEGBE3zgu/QqlUNGAsE"
COMMIT

 

[spirit]

that's really strange, all seem to be fine,

the GROUP-firewallrules-OUT is correctly set in differents vms rules, and the drop rules are correct in the group.

What is the vmid from where you are testing ?

 

[rackdie]

that's really strange, all seem to be fine,

the GROUP-firewallrules-OUT is correctly set in differents vms rules, and the drop rules are correct in the group.

What is the vmid from where you are testing ?

All VMIDs have the same issue but the one im testing is 104
I have also tried to block incoming for port 25 and it shows port closed on openportchecker website but still i am able to access port 25 inside vm which is very strange. Any suggestions?

 

[spirit]

can you send result of

#ip addr
#brctl show

on the node where the vm is running ?

 

[Chris]

but still i am able to access port 25 inside vm

So just to understand, your mail service is running within the VM and you are testing your firewall by sending traffic/mails from within the VM to itself?

I'm not sure how the firewall behaves in that case as it depends on how the packet flows trough the different layers, see https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg

Please test the ports/connectivity from another VM / the host / an outside service (you mentioned the port shows up as closed in openportchecker)

 

[rackdie]

So just to understand, your mail service is running within the VM and you are testing your firewall by sending traffic/mails from within the VM to itself?

I'm not sure how the firewall behaves in that case as it depends on how the packet flows trough the different layers, see https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg

Please test the ports/connectivity from another VM / the host / an outside service (you mentioned the port shows up as closed in openportchecker)

Hello there
No it only shows closed in openportchecker when i drop incoming outgoing both. whenever i drop outgoing it shows as open.
Yes my Mail server is running within the VM and I am testing firewall by telnet into the same vm. Tried to send mails from different IP using mail2web and other services and mail is able to go through which is very strange
When i test the port 25 by using telnet command from another VM or my main IP it shows connection failed. But why is it the VM allowed to connect to it. I dont want it that way.

 

[Chris]

whenever i drop outgoing it shows as open.

Of course, in that case only outgoing (relative to VM) traffic is filtered, incoming is still allowed.

Tried to send mails from different IP using mail2web and other services and mail is able to go through which is very strange

From where to where with which rules applied?
Again, if you have outgoing traffic dropped, then clients from the outside can still make an incoming (relative to your VM) connection. If you drop also incoming connections, then clients from the outside will not be able to connect to your VM.

When i test the port 25 by using telnet command from another VM or my main IP it shows connection failed.

As expected

But why is it the VM allowed to connect to it. I dont want it that way.

Because the traffic from within the VM to itself does not necessarily go through the filters as you might expect. Is there a reason you don't want this?

 

[rackdie]

can you send result of

#ip addr
#brctl show

on the node where the vm is running ?

for ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp9s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 04:**:**:8d:30:26 brd ff:ff:ff:ff:ff:ff
3: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UP group default qlen 1000
link/ether 00:02:**:**:a9:44 brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:**:c1:a9:** brd ff:ff:ff:ff:ff:ff
inet 204.12.***.***/29 brd 204.12.***.*** scope global vmbr0
valid_lft forever preferred_lft forever

for brctl show


bridge name bridge id STP enabled interfaces
fwbr1001i0 *.3e02039cc8f4 no fwln1001i0
tap1001i0
fwbr1002i0 *.3a6c74569573 no fwln1002i0
tap1002i0
fwbr1004i0 *.a22bdaf24921 no fwln1004i0
tap1004i0
fwbr1005i0 *.66d97968bc38 no fwln1005i0
tap1005i0
fwbr1006i0 *.b6a44375c4ae no fwln1006i0
tap1006i0
fwbr1007i0 *.7afcc074d63b no fwln1007i0
tap1007i0
fwbr1008i0 *.16ae0c35e49d no fwln1008i0
tap1008i0
fwbr1009i0 *.6a1fde6c7de4 no fwln1009i0
tap1009i0
fwbr104i0 *.528728d03028 no fwln104i0
tap104i0
fwbr105i0 *.1262fd2f31ca no fwln105i0
tap105i0
fwbr112i0 *.facc16950f9d no fwln112i0
tap112i0
vmbr0 *.0002c9c1a944 no ens9
fwpr1001p0
fwpr1002p0
fwpr1004p0
fwpr1005p0
fwpr1006p0
fwpr1007p0
fwpr1008p0
fwpr1009p0
fwpr104p0
fwpr105p0
fwpr112p0
inet6 fe80::***:c9ff:fec1:***/64 scope link
valid_lft forever preferred_lft forever
276: tap1004i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr1004i0 state UNKNOWN group default qlen 1000
link/ether fa:**:b1:**:03:f5 brd ff:ff:ff:ff:ff:ff
279: tap1005i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr1005i0 state UNKNOWN group default qlen 1000
link/ether f2:63:ef:**:**:a9 brd ff:ff:ff:ff:ff:ff
283: tap1007i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master fwbr1007i0 state UNKNOWN group default qlen 1000