How to block SSH access to PVE Node ?

[melon2]

Hi
I have a problem with Proxmox Firewall - I cant figure out how to setup firewall for Hosts (Nodes)
I want to limit access to Proxmox WEB console only to specific host - but I cant do that
Firewall for VM works correctly but for PVE nodes not

I have (at Datacenter level) enabled firewall with Drop policy
/etc/pve/firewall/cluster.fw
[OPTIONS]
enable: 1
policy_in: DROP

But SSH to Node still works - I cant block it
Nmap scan result:

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
uss@Latitude-D630:~$ nmap -Pn 192.168.1.26

Starting Nmap 6.40 ( http://nmap.org ) at 2016-02-21 01:20 CET
Nmap scan report for 192.168.1.26
Host is up (0.0035s latency).
Not shown: 973 filtered ports
PORT STATE SERVICE
22/tcp open ssh
43/tcp closed whois
3128/tcp open squid-http
...


Please help me - I dont know what I'm doing wrong

Best regards

 

[dietmar]

Some ports (22, 8006) are kept open for the local network, because they are required for
proper cluster functionality. Please create an extra rule to block them if required.

 

[melon2]

Dietmar, thank you

Which ports are open to local network ?
Only 22 and 8006 or mayby some others ?

In my Nmap scan you can see: 3128/tcp open squid-http
and many others which I didnt paste there (VNC probably)

 

[dietmar]

In my Nmap scan you can see: 3128/tcp open squid-http
and many others which I didnt paste there (VNC probably)

Then there is something wrong ... Please check if iptables-save output is reasonable.

 

[cmonty14]

Hello!
I want to jump on this thread...
I have configured another port for SSH and defined a rule to reject incoming on port 22.
However, the default rule is listed after this personal rule and should therefore overrule it (please correct me if I'm wrong).

The PVE server IP is 192.168.1.10, the SSH service is listening on port 2210.

The output of iptables-save is this:

-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j PVEFW-reject
-A PVEFW-HOST-IN -d 192.168.178.10/32 -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --sport 2210 -j RETURN
-A PVEFW-HOST-IN -i eth2 -j PVEFW-reject
-A PVEFW-HOST-IN -i eth0 -j DROP
-A PVEFW-HOST-IN -i eth1 -j PVEFW-reject
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN

THX

 

[dietmar]

However, the default rule is listed after this personal rule and should therefore overrule it (please correct me if I'm wrong).

The rules looks correct to me (the ssh reject rule trigger before any default rule)

 

[cmonty14]

My assumption is that the later rule would overwrite the previous rule.
Is this wrong?

 

[wbumiller]

You're probably used to 'pf' from BSD where that's the case. With iptables it's like adding the 'quick' keyword to every rule. First rule that matches 'executes' its job, if that job is ACCEPT, REJECT or DROP then the firewall's done. (while a chain name or 'RETURN' jump to another chain (or back to the previous one))

 

[albans]

Hi,

I've the same problem - I can't block access to the port 22 of the node from the public IP.
I'm using Proxmox 4.4-1.
@Datacenter level: Enable Firewall YES, Input Policy DROP, Output Policy ACCEPT
@Host level: Enable Firewall YES, and the below rules:

So by default, I believe since the Input Policy is DROP, port 22 should now be blocked... But it isn't!
Iptables-save output:

-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p udp -m udp --dport 1194 -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 92.216.138.0/24 -d 92.216.138.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 92.216.138.0/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j NFLOG --nflog-prefix ":0:7VEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:YL/replaced"

Now, according to wbumiller's messages, there's a default rule for port 22 (and 8006) generated by Proxmox to always allow connection on such port, which can be overriden by a REJECT (or DROP) additional rule. So I tried the below rule @Host level:

Port 22 is still opened!
Iptables-save output:
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j PVEFW-reject
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p udp -m udp --dport 1194 -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 92.216.138.0/24 -d 92.216.138.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 92.216.138.0/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j NFLOG --nflog-prefix ":0:7VEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:replaced"


I really can't understand why the port 22 is still not blocked.

Thanks for your help.

 

[dietmar]

From what I see it is rejected with:

-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j PVEFW-reject

There is another rule for management nodes (--match-set PVEFW-0-management-v4 src), but
this has lower priority and thus do not trigger anymore.

 

[albans]

From what I see it is rejected with:

-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j PVEFW-reject

There is another rule for management nodes (--match-set PVEFW-0-management-v4 src), but
this has lower priority and thus do not trigger anymore.

Thanks for your answer!
This is my understanding as well, nevertheless, I can still connect through SSH from any IP...
Moreover, the PVEFW-0-management-v4 contains only the host IP class:

ipset list PVEFW-0-management-v4
Name: PVEFW-0-management-v4
Type: hash:net
Revision: 6
Header: family inet hashsize 64 maxelem 64
Size in memory: 448
References: 4
Members:
92.216.138.0/24

Here's the full output of iptables-save, if this can help.

# Generated by iptables-save v1.4.21 on Fri Apr 28 00:04:36 2017
*mangle
PREROUTING ACCEPT [29080:1701641]
:INPUT ACCEPT [60499:12457990]
:FORWARD ACCEPT [1998:195446]
:OUTPUT ACCEPT [34991:19010816]
POSTROUTING ACCEPT [36527:19171905]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Fri Apr 28 00:04:36 2017
# Generated by iptables-save v1.4.21 on Fri Apr 28 00:04:36 2017
*nat
PREROUTING ACCEPT [7116:598730]
:INPUT ACCEPT [2898:140304]
:OUTPUT ACCEPT [1837:129788]
POSTROUTING ACCEPT [1619:114153]
:AS0_DPFWD_TCP - [0:0]
:AS0_DPFWD_UDP - [0:0]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A PREROUTING -d 92.216.138.208/32 -p udp -m udp --dport 1194 -m state --state NEW -j AS0_DPFWD_UDP
-A PREROUTING -d 92.216.138.208/32 -p tcp -m tcp --dport 443 -m state --state NEW -j AS0_DPFWD_TCP
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A POSTROUTING -s 10.2.1.0/24 -o vmbr0 -j MASQUERADE
-A AS0_DPFWD_TCP -p tcp -j DNAT --to-destination 92.216.138.208:914
-A AS0_DPFWD_TCP -j ACCEPT
-A AS0_DPFWD_UDP -p udp -j DNAT --to-destination 92.216.138.208:918
-A AS0_DPFWD_UDP -j ACCEPT
-A AS0_NAT -o vmbr0 -j SNAT --to-source 92.216.138.208
-A AS0_NAT -o vmbr1 -j SNAT --to-source 10.2.1.1
-A AS0_NAT -o eth0 -j SNAT --to-source 92.216.138.208
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Fri Apr 28 00:04:36 2017
# Generated by iptables-save v1.4.21 on Fri Apr 28 00:04:36 2017
*filter
:INPUT ACCEPT [1548:70924]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1028:75829]
:AS0_ACCEPT - [0:0]
:AS0_DNS - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
PVEFW-Drop - [0:0]
PVEFW-DropBroadcast - [0:0]
PVEFW-FORWARD - [0:0]
PVEFW-FWBR-IN - [0:0]
PVEFW-FWBR-OUT - [0:0]
PVEFW-HOST-IN - [0:0]
PVEFW-HOST-OUT - [0:0]
PVEFW-INPUT - [0:0]
PVEFW-OUTPUT - [0:0]
PVEFW-Reject - [0:0]
PVEFW-SET-ACCEPT-MARK - [0:0]
PVEFW-logflags - [0:0]
PVEFW-reject - [0:0]
PVEFW-smurflog - [0:0]
PVEFW-smurfs - [0:0]
PVEFW-tcpflags - [0:0]
:udp-flood - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -d 92.216.138.208/32 -p tcp -m state --state NEW -m tcp --dport 915 -j AS0_ACCEPT
-A INPUT -d 92.216.138.208/32 -p tcp -m state --state NEW -m tcp --dport 914 -j AS0_ACCEPT
-A INPUT -d 92.216.138.208/32 -p tcp -m state --state NEW -m tcp --dport 917 -j AS0_ACCEPT
-A INPUT -d 92.216.138.208/32 -p tcp -m state --state NEW -m tcp --dport 916 -j AS0_ACCEPT
-A INPUT -d 92.216.138.208/32 -p udp -m state --state NEW -m udp --dport 919 -j AS0_ACCEPT
-A INPUT -d 92.216.138.208/32 -p udp -m state --state NEW -m udp --dport 918 -j AS0_ACCEPT
-A INPUT -d 92.216.138.208/32 -p udp -m state --state NEW -m udp --dport 921 -j AS0_ACCEPT
-A INPUT -d 92.216.138.208/32 -p udp -m state --state NEW -m udp --dport 920 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -d 92.216.138.208/32 -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec --limit-burst 3 -j RETURN
-A INPUT -j PVEFW-INPUT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A OUTPUT -p udp -j udp-flood
-A OUTPUT -j PVEFW-OUTPUT
-A AS0_ACCEPT -j ACCEPT
-A AS0_DNS -d 62.210.16.6/32 -j ACCEPT
-A AS0_DNS -d 62.210.16.7/32 -j ACCEPT
-A AS0_DNS -j RETURN
-A AS0_IN -d 172.27.224.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -d 10.2.1.0/24 -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -p tcp -m state --state NEW -m tcp --dport 53 -j AS0_DNS
-A AS0_IN_PRE -p udp -m state --state NEW -m udp --dport 53 -j AS0_DNS
-A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j DROP
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:replaced"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:replaced"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:replaced+replaced+replaced"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:replaced/replaced"
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:replaced/replaced/replaced"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p tcp -j PVEFW-tcpflags
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m tcp --dport 22 -j PVEFW-reject
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p udp -m udp --dport 1194 -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -d 92.216.138.208/32 -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 92.216.138.0/24 -d 92.216.138.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 92.216.138.0/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j NFLOG --nflog-prefix  ":0:7PVEFW-HOST-IN: policy DROP: "
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:replaced"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 92.216.138.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 92.216.138.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 92.216.138.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 92.216.138.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 92.216.138.0/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:replaced/replaced"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+replaced/+replaced"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:replaced+replaced/replaced"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:replaced"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:replaced/replaced"
-A PVEFW-logflags -j NFLOG --nflog-prefix  ":0:7PVEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:replaced"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:replaced/replaced"
-A PVEFW-smurflog -j NFLOG --nflog-prefix  ":0:7PVEFW-smurflog: DROP: "
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:replaced"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:replaced+replaced"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:replaced+replaced"
-A udp-flood -p udp -m limit --limit 50/sec -j RETURN
-A udp-flood -j DROP
COMMIT

 

[dietmar]

Please can you post your network setup (/etc/network/interfaces)?

 

[albans]

Sure, here it is

auto lo
iface lo inet loopback

auto vmbr0
iface vmbr0 inet static
        address 92.216.138.208
        netmask 255.255.255.0
        gateway 92.216.138.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        post-up iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN
        post-up iptables -N udp-flood
        post-up iptables -A OUTPUT -p udp -j udp-flood
        post-up iptables -A udp-flood -p udp -m limit --limit 50/s -j RETURN
        post-up iptables -A udp-flood -j DROP

auto vmbr1
iface vmbr1 inet static
        address  10.2.1.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.2.1.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.2.1.0/24' -o vmbr0 -j MASQUERADE

 

[dietmar]

I guess your first iptable rule accepts all traffic.

post-up iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN

 

[albans]

That was it! Thank you so much for your help!