Hetzner MAC Abuse Mail Bridged/Routed Config

[Attackwave]

Hi,

I am using Proxmox version 7.0-14 + 1 and receive abuse mails from Hetzner.

I know there was a bug with port 43 prior to v7. Packets were not correctly dropped on port 43.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
https://forum.hetzner.com/index.php...mac-adressen/&postID=279208#codeLine_3_fea0f3

https://forum.proxmox.com/threads/proxmox-claiming-mac-address.52601/page-3#post-416219

https://forum.proxmox.com/threads/p...allowed-by-the-data-center.95946/#post-417099
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Hetzner has now automated his abuse mail and that's why I'm more likely to get these mails.

The last ticket has now been closed by Hetzner, because they have no idea why this could be.
After the ticket was closed, I dropped port 43 tcp directly at the data center and restarted the server.
I will now restart the server several times, if necessary I will provoke another abuse. VM's are not started automatically at the moment.

I also asked Hetzner if my network configuration was wrong ... unfortunately I didn't get an answer.

Does anyone have any idea why this could be or how I can track down the problem?

Thanks for advice.


IPs

1. e.x.t.175 MAC: MA:CA:DD:RE:SS:75 (PROXMOX Host)
2. e.x.t.140 MAC: MA:CA:DD:RE:SS:40
3. e.x.t.141 MAC: MA:CA:DD:RE:SS:41

IPv6 Range: dead:beef:dead:beef::/64 with MAC MA:CA:DD:RE:SS:75

Network

vmbr0: Bridged
vmbr1: Routed (Private 10.20.30.0/24)

Example VMs

1. Webserver
Net0 vmbr0: e.x.t.140 / MA:CA:DD:RE:SS:40
Net1 vmbr1: 10.20.30.10 / AU:TO:GE:NE:RA:TE

2. Gameserver
Net0 vmbr0: e.x.t.141 / MA:CA:DD:RE:SS:41
Net1 vmbr1: 10.20.30.20 / AU:TO:GE:NE:RA:TE

3. Oracle DB
Net0 vmbr1: 10.20.30.30 / AU:TO:GE:NE:RA:TE

Interfaces setup:

auto lo
iface lo inet loopback
iface lo inet6 loopback

auto enp35s0
iface enp35s0 inet manual
iface enp35s0 inet6 manual

auto vmbr0
iface vmbr0 inet static
        address e.x.t.175
        netmask 255.255.255.192
        gateway e.x.t.129
        broadcast 255.255.255.191
        pointtopoint e.x.t.129
        bridge_ports enp35s0
        bridge_stp off
        bridge_fd 1
        bridge_hello 2
        bridge_maxage 12

iface vmbr0 inet6 static
        address dead:beef:dead:beef::2
        netmask 64
        gateway fe80::1

auto vmbr1
iface vmbr1 inet static
        address 10.20.30.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.20.30.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.20.30.0/24' -o vmbr0 -j MASQUERADE

 

[spirit]

I'll copy/paste my response from the other thread:

1) never use REJECT rules for inbound rules for your vm, and use DROP as default action.
2) if you are still on proxmox6, add an extra DROP for tcp/43 for inbound rule. (this is fixed in proxmox7 pve-firewall_4.2-3 )
3) echo 0 >/proc/sys/net/ipv4/igmp_link_local_mcast_reports + add in /etc/sysctl.d/pve.conf
"net.ipv4.igmp_link_local_mcast_reports = 0"  (fixed in proxmox7 pve-cluster 7.0-5)

Note that it's for bridged setup,

I don't how it could happen on routed setup, because mac address can't go you vmbr1 to vmbr0.

Do you use the correct physical mac address of enp35s0 on vmbr0 ?
do you use ifupdown2 ?
if yes, it should be done auto.
if not, you need to set physical mac on vmbr0 with " hwaddress aa:bb:cc:12:34"
https://pve.proxmox.com/wiki/Upgrade_from_6.x_to_7.0#Check_Linux_Network_Bridge_MAC

 

[spirit]

Edit: I had mis read that you have vm bridged on vmbr0, sorry.

you could also do a full routed setup if you really don't want to have any problem with hetzner.

 

[Attackwave]

Hi Spirit,

thanks for reply. I have bridged setup because of Gameserver and Webserver. Different domains but maybe same ports as 80/433/8080/8443 etc.
My routed setup is only for internal VM communication and internet connection (downloads etc.).

I've restarted the server several times now, including the VMs ... no abuse email.

I'll test it again if I disable the manual drop from port 43.

Edit:

Firewalls on Datacenter/VM's all with drop by default. Only specific ports and protocols are accepted.

/proc/sys/net/ipv4/igmp_link_local_mcast_reports: 1

/etc/sysctl.d/pve.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
fs.aio-max-nr = 1048576

 

[spirit]

/proc/sys/net/ipv4/igmp_link_local_mcast_reports: 1

need to be 0.

or firewall bridge are sending igmp packets with their unknown mac for heztner on vm stop/start.

 

[Attackwave]

Ive set /proc/sys/net/ipv4/igmp_link_local_mcast_reports = 0 and in /etc/sysctl.d/pve.conf too.

Thanks for the advice!

 

[spirit]

Ive set /proc/sys/net/ipv4/igmp_link_local_mcast_reports = 1 and in /etc/sysctl.d/pve.conf too.

Thanks for the advice!

need to be 0 , not 1.

 

[Attackwave]

need to be 0 , not 1.

corrected, my c&p fail