Hello,
I'm trying to set some firewall rules for a VM but they do not take effect
Additional Infos:
/etc/pve/firewall/cluster.fw:
/etc/pve/firewall/node-fw:
iptables -L excerpt:
So what I see is that no rule will ever trigger as the first rule is a ACCEPT ALL.
How can I change that?
If I can't change it, how are the VM rules supposed to have any effect?
Why do I have only the options to setup rules for IN/OUT but not for FORWARD?
As mentioned in the docs I restarted the VM after activating the firewall with no changes. It might be that I haven't really understood how the firewall is suposed to be setup. When I drop the pve firewall and do all my config manually, everything works as expected.
Regards
Marc Schaefer
I'm trying to set some firewall rules for a VM but they do not take effect
- Setup: Proxmox 5.1
- Network: Bridge connected to public interface
- Problem: Firewall Rules on VM level don't take any effect
- INPUT Policy Datacenter: REJECT
- INPUT Policy VM: REJECT
Additional Infos:
/etc/pve/firewall/cluster.fw:
[OPTIONS]
policy_in: REJECT
enable: 1
[RULES]
IN ACCEPT -dest <host ip> -p tcp -dport 8006 # Allow PVE WebAdmin
IN ACCEPT -dest <host ip> -p tcp -dport 3128 # Allow SPICE
IN ACCEPT -dest <host ip> -p tcp -dport 22 # Allow SSH
policy_in: REJECT
enable: 1
[RULES]
IN ACCEPT -dest <host ip> -p tcp -dport 8006 # Allow PVE WebAdmin
IN ACCEPT -dest <host ip> -p tcp -dport 3128 # Allow SPICE
IN ACCEPT -dest <host ip> -p tcp -dport 22 # Allow SSH
/etc/pve/firewall/node-fw:
[OPTIONS]
ipfilter: 1
policy_in: REJECT
enable: 1
log_level_in: info
log_level_out: info
[RULES]
IN REJECT -dest <vm ip> -p tcp -dport 3389
IN HTTPS(REJECT) -dest <vm ip> # REJECT HTTPS
ipfilter: 1
policy_in: REJECT
enable: 1
log_level_in: info
log_level_out: info
[RULES]
IN REJECT -dest <vm ip> -p tcp -dport 3389
IN HTTPS(REJECT) -dest <vm ip> # REJECT HTTPS
iptables -L excerpt:
Chain INPUT
PVEFW-INPUT all -- anywhere anywhere
Chain PVEFW-INPUT (1 references)
target prot opt source destination
PVEFW-HOST-IN all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */
Chain PVEFW-HOST-IN (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
RETURN igmp -- anywhere anywhere
PVEFW-reject tcp -- anywhere vm.example.com tcp dpt:3389
PVEFW-INPUT all -- anywhere anywhere
Chain PVEFW-INPUT (1 references)
target prot opt source destination
PVEFW-HOST-IN all -- anywhere anywhere
all -- anywhere anywhere /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */
Chain PVEFW-HOST-IN (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
RETURN igmp -- anywhere anywhere
PVEFW-reject tcp -- anywhere vm.example.com tcp dpt:3389
So what I see is that no rule will ever trigger as the first rule is a ACCEPT ALL.
How can I change that?
If I can't change it, how are the VM rules supposed to have any effect?
Why do I have only the options to setup rules for IN/OUT but not for FORWARD?
As mentioned in the docs I restarted the VM after activating the firewall with no changes. It might be that I haven't really understood how the firewall is suposed to be setup. When I drop the pve firewall and do all my config manually, everything works as expected.
Regards
Marc Schaefer
Last edited: