[SOLVED] Firewall rules seem to have no impact on LXC containers

phorcys

New Member
Feb 20, 2022
3
1
3
39
I'm trying to set up Proxmox VE firewall rules; except those rules don't seem to do anything on CT level.
I had enabled firewalling at:
  • Datacenter level
  • PVE level
  • CT's vNIC (net0) level
  • CT level
^ The minute I enable firewalling completely, I can see that all the incoming connections are dropped regardless of the firewall rules.
Even with INPUT policy sat to ACCEPT, the same issue persists but that's nothing surprising.

Even if I disable the firewall on both the vNIC and the Firewall tab, my host is still unreachable.
Some could say it is due to my unprivileged: 0 but it seems that CTs with unprivileged: 1 are affected by the same issue.

I did not try VMs since I do not run any.

Here is the example of LXC 103 that should be firewalled:
pct config 103
INI:
arch: amd64
features: fuse=1,keyctl=1,nesting=1
hostname: hostsrv
memory: 12288
mp0: local-lvm:vm-103-disk-1,mp=/certs,backup=1,size=8G
mp1: local-lvm:vm-103-disk-2,mp=/hostsrv,backup=1,size=20G
mp2: local-lvm:vm-103-disk-3,mp=/var/lib/docker/volumes,backup=1,size=20G
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.254,gw6=dead:bef:dead:beef::1,hwaddr=CE:CB:63:82:BF:BB,ip=192.168.1.2/24,ip6=2a01:e34:ec6b:6a20::2/64,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-103-disk-0,size=125G
swap: 8192
unprivileged: 0

/etc/pve/firewall/103.fw
INI:
[OPTIONS]

log_level_in: debug
log_level_out: debug
enable: 1

[RULES]

IN HTTPS(ACCEPT) -i net0 -log nolog
IN HTTP(ACCEPT) -i net0 -log nolog
GROUP mail -i net0
GROUP matrix -i net0
IN ACCEPT -i net0 -p tcp -dport 22 -log info # SSH
IN Ping(ACCEPT) -i net0 -log nolog
IN Ping(ACCEPT) -log nolog

Maybe I could be configuring my rules in a bad way ?
NOTE: There is nothing under Firewall > Log ever
NOTE²: I did my testing by pinging first, then by SSHing once with the SSH rule using a the SSH macro and once without.
NOTE³: All of the testing in the above NOTE works fine with firewall disabled on all levels.
 
Can you post your iptables-save output when your firewall is enabled like you planned?
 
iptables-save output :
Code:
# Generated by iptables-save v1.8.7 on Fri Jun 10 11:11:14 2022
*raw
:PREROUTING ACCEPT [18223:3921742]
:OUTPUT ACCEPT [5338:2205785]
COMMIT
# Completed on Fri Jun 10 11:11:14 2022
# Generated by iptables-save v1.8.7 on Fri Jun 10 11:11:14 2022
*filter
:INPUT ACCEPT [21:12548]
:FORWARD ACCEPT [2438:203584]
:OUTPUT ACCEPT [0:0]
:GROUP-mail-IN - [0:0]
:GROUP-mail-OUT - [0:0]
:GROUP-management-IN - [0:0]
:GROUP-management-OUT - [0:0]
:GROUP-matrix-IN - [0:0]
:GROUP-matrix-OUT - [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:veth103i0-IN - [0:0]
:veth103i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A GROUP-mail-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-mail-IN -p tcp -m tcp --sport 4190 --dport 4190 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-mail-IN -p tcp -m tcp --dport 993 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-mail-IN -p tcp -m tcp --dport 143 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-mail-IN -p tcp -m tcp --dport 465 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-mail-IN -p tcp -m tcp --dport 25 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-mail-IN -m comment --comment "PVESIG:R8p+EwUbYY2Ci+PaFHpU6nOT3JE"
-A GROUP-mail-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-mail-OUT -m comment --comment "PVESIG:nncsEyXSeY27koDZ8Tc81E6Tjck"
-A GROUP-management-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-management-IN -p udp -m multiport --dports 5404,5405 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-management-IN -p udp -m udp --dport 111 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-management-IN -p tcp -m tcp --dport 5900:5999 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-management-IN -p tcp -m tcp --dport 22 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-management-IN -p tcp -m tcp --dport 8006 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-management-IN -m comment --comment "PVESIG:vZHXHSbKxiCO2v4cajOy9kzITdA"
-A GROUP-management-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-management-OUT -m comment --comment "PVESIG:507jzQvmkj7pyZYZEiI0n/PJt4A"
-A GROUP-matrix-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-matrix-IN -p udp -m udp --dport 10000 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-matrix-IN -p udp -m multiport --dports 3478,5349 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-matrix-IN -p tcp -m multiport --dports 3478,5349,49152:49172 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-matrix-IN -p tcp -m tcp --dport 3002 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-matrix-IN -p tcp -m multiport --dports 8008,8009 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-matrix-IN -m comment --comment "PVESIG:u7L5qxE+15hfiW9v0K5REP9g8aE"
-A GROUP-matrix-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-matrix-OUT -m comment --comment "PVESIG:S7YVy9bvXoOdzTgveG/vpOAZAO4"
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out veth103i0 --physdev-is-bridged -j veth103i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:ghVH/OAMBt53LjVQpJ0+wK6E/nc"
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth103i0 --physdev-is-bridged -j veth103i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:aNTzcw96U6XnO61Hb/j8f3XINls"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -p icmp -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -j GROUP-management-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:eW9lPZTBvp1u4ziZ0TxqylIzUQw"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -o vmbr0 -j GROUP-management-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.1.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:pfbx/Tfk24GY7a0Y/aSmiTYuMxM"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A veth103i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth103i0-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth103i0-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth103i0-IN -j GROUP-mail-IN
-A veth103i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth103i0-IN -j GROUP-matrix-IN
-A veth103i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth103i0-IN -p tcp -m tcp --dport 22 -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":103:6:veth103i0-IN: ACCEPT: "
-A veth103i0-IN -p tcp -m tcp --dport 22 -j ACCEPT
-A veth103i0-IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A veth103i0-IN -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A veth103i0-IN -j PVEFW-Drop
-A veth103i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":103:7:veth103i0-IN: policy DROP: "
-A veth103i0-IN -j DROP
-A veth103i0-IN -m comment --comment "PVESIG:d3aSG+qsJ6Gwr+zAgk09v0X0R3A"
-A veth103i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -m mac ! --mac-source ce:cb:63:82:bf:bb -j DROP
-A veth103i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth103i0-OUT -j GROUP-mail-OUT
-A veth103i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth103i0-OUT -j GROUP-matrix-OUT
-A veth103i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth103i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -m comment --comment "PVESIG:c2s3yXvm7VSYyfa422/pc0hA+2Q"
COMMIT
# Completed on Fri Jun 10 11:11:14 2022
 
When I see this line

Code:
...
-A veth103i0-OUT -m mac ! --mac-source ce:cb:63:82:bf:bb -j DROP
...

Can I ask if the container still answers on ping request with & without the firewall enabed?
 
When I see this line

Code:
...
-A veth103i0-OUT -m mac ! --mac-source ce:cb:63:82:bf:bb -j DROP
...

Can I ask if the container still answers on ping request with & without the firewall enabed?
The container does not answer to pings when enabled, but it does when disabled.
PS: My testing is done from another device in LAN (not from the proxmox host itself)

EDIT: it does !?
Before sending the iptables-save output when you asked me; I noticed docker was previously installed on the pve host (seriously...) and that there were leftover rules, so I removed all of those. Now that I retry, my rules DO take effect. If I disable the Ping entry, the CT does not answer to pings anymore, if I re-enable it, it answers to pings!

Thanks for your help :)
 
Last edited:
  • Like
Reactions: shrdlicka

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!