Running something like this should work
Code:
iptables -F
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p all -s localhost -i eth0 -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
iptables -A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
iptables-save
To put some meat on the bone,
iptables -F gets rid of any existing rules so we can start with a clean slate..
The first rule says accept anything that is related or established to an existing connection.
The second line says much the same as the above, but in repect of forwarded packets to your VEs
The 3rd line says allow anything out of your server.
The 4th says allow anything to connect from localhost.
5 and 6 are to allow SSH and HTTP
7 says allow pinging
8 Says drop anything that says it is localhost, which turns up on Eth0, as that should never happen, but need to check whether that rule is relavent to proxmox.
The next 4 forwarding rules allow pings, ssh, and httpd to be forwarded to the virtual machines, and also allow DNS lookups.
The last two rules say reject anything and everything else.
Finally ipables-save commits the rules so that they stay after a reboot.
If it all goes horribly wrong, then iptables -F from the physical console will clear everything so you can have another go.
Joe
