Guest iptables rules

Mecanik

Well-Known Member
Mar 2, 2017
173
4
58
32
I`m trying to add some custom iptables rules (like connlimit) for guest machines.

Example rule is:

-A tap101i0-IN -p tcp -m connlimit --connlimit-above 30 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset

As seen tap101i0 is the vm 101 adapter. The rule has no effect, I can open more than 30 simultaneous connections easily.

Since I`m not that experienced with iptables and proxmox firewall design, could someone elaborate where the issue is?

Thanks
 
After a bit of research, it seems the rule ordering is the problem. Basically -A will append at the end of the iptables chain, which is after PVEFW-Drop so it will have no effect.

Rules order can be seen with iptables -t filter -L tap100i0-IN --line-numbers -n -v.

Now another problem remains that every time you make a change via the PVE GUI, your rules are lost.

Very sad, I cannot comprehend why staff do not want to allow us to persist custom rules.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!