Help with PVE firewall configuration

Ok, further to more testing (again) I might have it. I will have to thank for once, ChatGPT for the suggestion...

Adding to the chain:
-A tap941i0-IN -m state --state ESTABLISHED,RELATED -j ACCEPT

Seems to allow outgoing connections correctly. The explanation, which I did not get at the beginning, could be that the fact of outgoing traffic not working was related to its "answer" being captured by the IN chain itself and this way the reply passes through as it will be RELATED (or ESTABLISHED not sure about that).

I'll still do some further testing but in case of use to anyone else in a similar scenario:

The related rules now are:
Code: 
# iptables-save |grep tap941i0-IN
:tap941i0-IN - [0:0]
-A FORWARD -m physdev --physdev-out tap941i0 --physdev-is-bridged -m comment --comment "Redireccion a cadena tap941i0-IN" -j tap941i0-IN
-A tap941i0-IN -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tap941i0-IN -p tcp -m tcp --dport 443 -m comment --comment "Puerto permitido globalmente" -j ACCEPT
-A tap941i0-IN -p tcp -m tcp --dport 80 -m comment --comment "Puerto permitido globalmente" -j ACCEPT
-A tap941i0-IN -s 213.***.***.95/32 -m comment --comment "IP permitida para pruebas" -j ACCEPT
-A tap941i0-IN -m comment --comment "Evaluación de LOCALINPUT" -j LOCALINPUT
-A tap941i0-IN -m comment --comment "Bloqueo de tráfico restante" -j DROP

This now limits the connections to that VM from the host to those ports only or any IPS in LOCALINPUT chain that CSF configures with whitelist, dynamic ips and blocked ones.

We have scripted this in csfpost.sh, so we can just add a list of ports and interfaces to generate.

Thanks @shanreich for your help on this thread!
 
Last edited:
  • Like
Reactions: shanreich
One additional issue since we made this configuration active is this constant log message:

Sep 12 19:22:46 m24 pve-firewall[2376]: status update error: iptables_restore_cmdlist: line 3: CHAIN_DEL failed (Device or resource busy): chain tap141i0-IN

pve-firewall should not be active as it's not on datacenter or any container. Truly the service was running and I have now stopped it... not sure if I need to do that so it does not start on boot either.
 
Makes sense. Please note that pve-firewall sets some configuration values at runtime that might be interesting for you. The most important one is probably net.bridge.bridge-nf-call-iptables which enables iptables filtering for bridge traffic.
 
  • Like
Reactions: luison
Simply disabling it at datacenter level should suffice.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back