GRE protocol is not passed through firewall with Linux bridge

Discussion in 'Proxmox VE: Networking and Firewall' started by dksoft, Jul 6, 2018.

  1. dksoft

    dksoft New Member

    Joined:
    Apr 17, 2017
    Messages:
    7
    Likes Received:
    3
    Dear Promox users,

    I found a problem where someone might have a solution for.

    The installation runs a Mikrotik CHR VM on a standard Linux Bridge. When the Proxmox firewall is enabled, the GRE protocol is not passed through the bridge, even that a GRE accept rule exist on both (datacenter and node) firewall. If the datacenter firewall is disabled, GRE is passed through the bridge.

    When I replace Linux bridge by Open Vswitch, GRE is always passed. E.g. with enabled or disabled Proxmox firewall.

    Is this a known problem? I would like to use Linux bridge together with the Proxmox firewall.

    Thanks and best regards,
    dksoft
     
  2. Richard

    Richard Proxmox Staff Member
    Staff Member

    Joined:
    Mar 6, 2015
    Messages:
    408
    Likes Received:
    10

    Post iptables and /etc/pve/firewall/* files in order to analyze the settings
     
  3. dksoft

    dksoft New Member

    Joined:
    Apr 17, 2017
    Messages:
    7
    Likes Received:
    3
    Thanks for your attention.

    Here ist my /etc/pve/firewall/cluster.fw:
    Code:
    enable: 1
    ebtables: 0
    policy_in: ACCEPT
    
    [RULES]
    
    IN ACCEPT -p gre
    
    And the output of iptables -L:
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    PVEFW-INPUT  all  --  anywhere             anywhere           
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    PVEFW-FORWARD  all  --  anywhere             anywhere           
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    PVEFW-OUTPUT  all  --  anywhere             anywhere           
    
    Chain PVEFW-Drop (0 references)
    target     prot opt source               destination         
    PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois
    PVEFW-DropBroadcast  all  --  anywhere             anywhere           
    ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
    DROP       all  --  anywhere             anywhere             ctstate INVALID
    DROP       udp  --  anywhere             anywhere             multiport dports loc-srv,microsoft-ds
    DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn
    DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
    DROP       tcp  --  anywhere             anywhere             multiport dports loc-srv,netbios-ssn,microsoft-ds
    DROP       udp  --  anywhere             anywhere             udp dpt:1900
    DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
    DROP       udp  --  anywhere             anywhere             udp spt:domain
               all  --  anywhere             anywhere             /* PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ */
    
    Chain PVEFW-DropBroadcast (2 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
    DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST
    DROP       all  --  anywhere             base-address.mcast.net/4
               all  --  anywhere             anywhere             /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */
    
    Chain PVEFW-FORWARD (1 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere             ctstate INVALID
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    PVEFW-FWBR-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
    PVEFW-FWBR-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
               all  --  anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */
    
    Chain PVEFW-FWBR-IN (1 references)
    target     prot opt source               destination         
    PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
               all  --  anywhere             anywhere             /* PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0 */
    
    Chain PVEFW-FWBR-OUT (1 references)
    target     prot opt source               destination         
               all  --  anywhere             anywhere             /* PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk */
    
    Chain PVEFW-HOST-IN (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere           
    DROP       all  --  anywhere             anywhere             ctstate INVALID
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
    RETURN     igmp --  anywhere             anywhere           
    RETURN     gre  --  anywhere             anywhere           
    RETURN     udp  --  anywhere             anywhere             udp dpt:5201
    RETURN     tcp  --  anywhere             anywhere             tcp dpt:5201
    RETURN     udp  --  anywhere             anywhere             udp dpt:12865
    RETURN     tcp  --  anywhere             anywhere             tcp dpt:12865
    RETURN     icmp --  anywhere             anywhere           
    RETURN     ipv6-icmp--  anywhere             anywhere           
    RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh
    RETURN     tcp  --  anywhere             anywhere             tcp dpt:http
    RETURN     tcp  --  anywhere             anywhere             tcp dpt:https
    RETURN     tcp  --  anywhere             anywhere             tcp dpt:8006
    DROP       all  --  anywhere             anywhere           
    RETURN     gre  --  anywhere             anywhere           
    RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:8006
    RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
    RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:3128
    RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:ssh
    RETURN     udp  --  static.148-232-231-240.clients.your-server.de/29  static.148-232-231-240.clients.your-server.de/29  udp dpts:5404:5405
    RETURN     udp  --  static.148-232-231-240.clients.your-server.de/29  anywhere             ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405
    RETURN     all  --  anywhere             anywhere           
               all  --  anywhere             anywhere             /* PVESIG:qvKPAyx9ZlMT6L2C4P00G7qVPZk */
    
    Chain PVEFW-HOST-OUT (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere           
    DROP       all  --  anywhere             anywhere             ctstate INVALID
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    RETURN     igmp --  anywhere             anywhere           
    RETURN     tcp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  tcp dpt:8006
    RETURN     tcp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  tcp dpt:ssh
    RETURN     tcp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  tcp dpts:5900:5999
    RETURN     tcp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  tcp dpt:3128
    RETURN     udp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  udp dpts:5404:5405
    RETURN     udp  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405
    RETURN     all  --  anywhere             anywhere           
               all  --  anywhere             anywhere             /* PVESIG:4Hz2mcfCth1g3htf5LajikJqyhc */
    
    Chain PVEFW-INPUT (1 references)
    target     prot opt source               destination         
    PVEFW-HOST-IN  all  --  anywhere             anywhere           
               all  --  anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */
    
    Chain PVEFW-OUTPUT (1 references)
    target     prot opt source               destination         
    PVEFW-HOST-OUT  all  --  anywhere             anywhere           
               all  --  anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */
    
    Chain PVEFW-Reject (0 references)
    target     prot opt source               destination         
    PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois
    PVEFW-DropBroadcast  all  --  anywhere             anywhere           
    ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
    ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
    DROP       all  --  anywhere             anywhere             ctstate INVALID
    PVEFW-reject  udp  --  anywhere             anywhere             multiport dports loc-srv,microsoft-ds
    PVEFW-reject  udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn
    PVEFW-reject  udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
    PVEFW-reject  tcp  --  anywhere             anywhere             multiport dports loc-srv,netbios-ssn,microsoft-ds
    DROP       udp  --  anywhere             anywhere             udp dpt:1900
    DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
    DROP       udp  --  anywhere             anywhere             udp spt:domain
               all  --  anywhere             anywhere             /* PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo */
    
    Chain PVEFW-SET-ACCEPT-MARK (0 references)
    target     prot opt source               destination         
    MARK       all  --  anywhere             anywhere             MARK or 0x80000000
               all  --  anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */
    
    Chain PVEFW-logflags (5 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere           
               all  --  anywhere             anywhere             /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */
    
    Chain PVEFW-reject (6 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
    DROP       all  --  base-address.mcast.net/4  anywhere           
    DROP       icmp --  anywhere             anywhere           
    REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
    REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
    REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
               all  --  anywhere             anywhere             /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */
    
    Chain PVEFW-smurflog (2 references)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere           
               all  --  anywhere             anywhere             /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */
    
    Chain PVEFW-smurfs (2 references)
    target     prot opt source               destination         
    RETURN     all  --  default              anywhere           
    PVEFW-smurflog  all  --  anywhere             anywhere            [goto]  ADDRTYPE match src-type BROADCAST
    PVEFW-smurflog  all  --  base-address.mcast.net/4  anywhere            [goto]
               all  --  anywhere             anywhere             /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */
    
    Chain PVEFW-tcpflags (0 references)
    target     prot opt source               destination         
    PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST
    PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN
    PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
               all  --  anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */
    
    
     
  4. Richard

    Richard Proxmox Staff Member
    Staff Member

    Joined:
    Mar 6, 2015
    Messages:
    408
    Likes Received:
    10
    Not quite clear why it does not work (needs deeper investigation); however, you can solve the problem by adding

    Code:
    iptables -I FORWARD -p gre -j ACCEPT
    

    Apart from allowing gre unconditionally this will not interfere to possibly firewall settings made by Proxmox.
     
  5. dksoft

    dksoft New Member

    Joined:
    Apr 17, 2017
    Messages:
    7
    Likes Received:
    3
    Hi Richard,

    thanks for checking this. So far I placed "up iptables -I FORWARD -p gre -j ACCEPT" into /etc/network/interfaces.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice