Guest iptables rules

[Mecanik]

I`m trying to add some custom iptables rules (like connlimit) for guest machines.

Example rule is:

-A tap101i0-IN -p tcp -m connlimit --connlimit-above 30 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset

As seen tap101i0 is the vm 101 adapter. The rule has no effect, I can open more than 30 simultaneous connections easily.

Since I`m not that experienced with iptables and proxmox firewall design, could someone elaborate where the issue is?

Thanks

 

[Mecanik]

After a bit of research, it seems the rule ordering is the problem. Basically -A will append at the end of the iptables chain, which is after PVEFW-Drop so it will have no effect.

Rules order can be seen with iptables -t filter -L tap100i0-IN --line-numbers -n -v.

Now another problem remains that every time you make a change via the PVE GUI, your rules are lost.

Very sad, I cannot comprehend why staff do not want to allow us to persist custom rules.