host node firewalling? (question for proxmox themselves mainly)

[pieterk]

Does proxmox support iptables firewalling (ignoring the gui)?

In terms of clustering the idea is to simplify the network model from various vlans + hardware firewall (expensive) to just vlans and iptables. For example, a host vlan and then a virtual machines vlan with traffic going to the host vlan only from pre-approved locations

eth0.1+eth1.1 ---> bond0 ---> vmbr0 (host access only, iptables firewalled)

eth0.2+eth1.2 ---> bond1 ---> vmbr1 (kvm guests only, raw internet)

Is it possible to store custom configuration on the clustered shared space (CXFS) such as a text file containing iptables rules?

If we were to use IPtables to firewall the hosts (no fancy routing, no natting or no guest firewalling) would proxmox still support the server based on a subscription. We understand that they cannot support the actual rule table but the question is will it invalidate support entirely for the server/cluster if we do require assistance?

Thanks

 

[dietmar]

Does proxmox support iptables firewalling (ignoring the gui)?

We are currently working on a firewall solution using iptables.

 

[pieterk]

Thanks for the reply Dietmar. Just needed to clarify though if using it now ourselves would invalidate support or not.

 

[anthonysomerset]

just a note you dont need a bridge for the raw host access, you can just leave it as eth0.1+eth1.1 ---> bond0 and iptables restrict on bond0 device

note you would have to either not assign an IP for vmbr1 or manually reconfigure pveproxy server to only listen on the IP assigned to bond0/vmbr0