GRE protocol is not passed through firewall with Linux bridge

D

dksoft

Active Member
Apr 17, 2017
23
7
43
60
Dear Promox users,

I found a problem where someone might have a solution for.

The installation runs a Mikrotik CHR VM on a standard Linux Bridge. When the Proxmox firewall is enabled, the GRE protocol is not passed through the bridge, even that a GRE accept rule exist on both (datacenter and node) firewall. If the datacenter firewall is disabled, GRE is passed through the bridge.

When I replace Linux bridge by Open Vswitch, GRE is always passed. E.g. with enabled or disabled Proxmox firewall.

Is this a known problem? I would like to use Linux bridge together with the Proxmox firewall.

Thanks and best regards,
dksoft
 
dksoft said:
Dear Promox users,

I found a problem where someone might have a solution for.

The installation runs a Mikrotik CHR VM on a standard Linux Bridge. When the Proxmox firewall is enabled, the GRE protocol is not passed through the bridge, even that a GRE accept rule exist on both (datacenter and node) firewall. If the datacenter firewall is disabled, GRE is passed through the bridge.

When I replace Linux bridge by Open Vswitch, GRE is always passed. E.g. with enabled or disabled Proxmox firewall.

Is this a known problem? I would like to use Linux bridge together with the Proxmox firewall.

Thanks and best regards,
dksoft
Click to expand...


Post iptables and /etc/pve/firewall/* files in order to analyze the settings
 
Thanks for your attention.

Here ist my /etc/pve/firewall/cluster.fw:
Code: 
enable: 1
ebtables: 0
policy_in: ACCEPT

[RULES]

IN ACCEPT -p gre

And the output of iptables -L:
Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-INPUT  all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
PVEFW-FORWARD  all  --  anywhere             anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-OUTPUT  all  --  anywhere             anywhere           

Chain PVEFW-Drop (0 references)
target     prot opt source               destination         
PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois
PVEFW-DropBroadcast  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       udp  --  anywhere             anywhere             multiport dports loc-srv,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn
DROP       udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
DROP       tcp  --  anywhere             anywhere             multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ */

Chain PVEFW-DropBroadcast (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type ANYCAST
DROP       all  --  anywhere             base-address.mcast.net/4
           all  --  anywhere             anywhere             /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */

Chain PVEFW-FORWARD (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN  all  --  anywhere             anywhere             PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT  all  --  anywhere             anywhere             PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
           all  --  anywhere             anywhere             /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

Chain PVEFW-FWBR-IN (1 references)
target     prot opt source               destination         
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
           all  --  anywhere             anywhere             /* PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0 */

Chain PVEFW-FWBR-OUT (1 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere             /* PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk */

Chain PVEFW-HOST-IN (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
PVEFW-smurfs  all  --  anywhere             anywhere             ctstate INVALID,NEW
RETURN     igmp --  anywhere             anywhere           
RETURN     gre  --  anywhere             anywhere           
RETURN     udp  --  anywhere             anywhere             udp dpt:5201
RETURN     tcp  --  anywhere             anywhere             tcp dpt:5201
RETURN     udp  --  anywhere             anywhere             udp dpt:12865
RETURN     tcp  --  anywhere             anywhere             tcp dpt:12865
RETURN     icmp --  anywhere             anywhere           
RETURN     ipv6-icmp--  anywhere             anywhere           
RETURN     tcp  --  anywhere             anywhere             tcp dpt:ssh
RETURN     tcp  --  anywhere             anywhere             tcp dpt:http
RETURN     tcp  --  anywhere             anywhere             tcp dpt:https
RETURN     tcp  --  anywhere             anywhere             tcp dpt:8006
DROP       all  --  anywhere             anywhere           
RETURN     gre  --  anywhere             anywhere           
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:8006
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:3128
RETURN     tcp  --  anywhere             anywhere             match-set PVEFW-0-management-v4 src tcp dpt:ssh
RETURN     udp  --  static.148-232-231-240.clients.your-server.de/29  static.148-232-231-240.clients.your-server.de/29  udp dpts:5404:5405
RETURN     udp  --  static.148-232-231-240.clients.your-server.de/29  anywhere             ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405
RETURN     all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:qvKPAyx9ZlMT6L2C4P00G7qVPZk */

Chain PVEFW-HOST-OUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
RETURN     igmp --  anywhere             anywhere           
RETURN     tcp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  tcp dpt:8006
RETURN     tcp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  tcp dpt:ssh
RETURN     tcp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  tcp dpts:5900:5999
RETURN     tcp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  tcp dpt:3128
RETURN     udp  --  anywhere             static.148-232-231-240.clients.your-server.de/29  udp dpts:5404:5405
RETURN     udp  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405
RETURN     all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:4Hz2mcfCth1g3htf5LajikJqyhc */

Chain PVEFW-INPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-IN  all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */

Chain PVEFW-OUTPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-OUT  all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */

Chain PVEFW-Reject (0 references)
target     prot opt source               destination         
PVEFW-reject  tcp  --  anywhere             anywhere             tcp dpt:whois
PVEFW-DropBroadcast  all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere             icmp fragmentation-needed
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
DROP       all  --  anywhere             anywhere             ctstate INVALID
PVEFW-reject  udp  --  anywhere             anywhere             multiport dports loc-srv,microsoft-ds
PVEFW-reject  udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn
PVEFW-reject  udp  --  anywhere             anywhere             udp spt:netbios-ns dpts:1024:65535
PVEFW-reject  tcp  --  anywhere             anywhere             multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP       udp  --  anywhere             anywhere             udp dpt:1900
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             anywhere             udp spt:domain
           all  --  anywhere             anywhere             /* PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo */

Chain PVEFW-SET-ACCEPT-MARK (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x80000000
           all  --  anywhere             anywhere             /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */

Chain PVEFW-logflags (5 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */

Chain PVEFW-reject (6 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
DROP       all  --  base-address.mcast.net/4  anywhere           
DROP       icmp --  anywhere             anywhere           
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     icmp --  anywhere             anywhere             reject-with icmp-host-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
           all  --  anywhere             anywhere             /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */

Chain PVEFW-smurflog (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           
           all  --  anywhere             anywhere             /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */

Chain PVEFW-smurfs (2 references)
target     prot opt source               destination         
RETURN     all  --  default              anywhere           
PVEFW-smurflog  all  --  anywhere             anywhere            [goto]  ADDRTYPE match src-type BROADCAST
PVEFW-smurflog  all  --  base-address.mcast.net/4  anywhere            [goto]
           all  --  anywhere             anywhere             /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */

Chain PVEFW-tcpflags (0 references)
target     prot opt source               destination         
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:SYN,RST/SYN,RST
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp flags:FIN,SYN/FIN,SYN
PVEFW-logflags  tcp  --  anywhere             anywhere            [goto]  tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
           all  --  anywhere             anywhere             /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */
 
Not quite clear why it does not work (needs deeper investigation); however, you can solve the problem by adding

Code: 
iptables -I FORWARD -p gre -j ACCEPT


Apart from allowing gre unconditionally this will not interfere to possibly firewall settings made by Proxmox.
 
  • Like
Reactions: tecwar
Hi Richard,

thanks for checking this. So far I placed "up iptables -I FORWARD -p gre -j ACCEPT" into /etc/network/interfaces.
 
Richard said:
Not quite clear why it does not work (needs deeper investigation); however, you can solve the problem by adding

Code: 
iptables -I FORWARD -p gre -j ACCEPT


Apart from allowing gre unconditionally this will not interfere to possibly firewall settings made by Proxmox.
Click to expand...
Hello Richard, thanks for your reply.

We have exactly this same problem;

How we can be sure if this workaround will be permanent?

Thanks
 
You must log in or register to reply here.
Top Bottom