How to? - Limit IP connection through proxmox firewall

[ohmagic]

Hi guys, new in proxmox.
I would like to know if there is a way to simulate Iptables connlimit on proxmox firewall. Since im using windows vm and need to apply some rules like that to stop some DoS attacks. For example, limit 20 connections/20seconds and add some allowed ip to
Couldn't figured out how to make iptables applied to host impact on vm machines.

Sorry for the noobish, new in this enviroment (whole, dedicated, linux, etc).
Thanks.

 

[wolfgang]

Hi,

Proxmox VE has only a restriction on total traffic per VM.
But you can use hooks[1] with iptable raw commands[2].

1.) https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_hookscripts
2.) https://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html

 

[ohmagic]

I managed to add the rules, but, proxmox keep deleting them on every reboot.
This is how my rule looks:

-A GROUP-global-IN -s 3.132.120.160/32 -p tcp -m tcp --dport 3306 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -s 186.22.238.43/32 -p tcp -m tcp --dport 3306 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -p tcp -m connlimit --connlimit-above 30 --connlimit-mask 32 --connlimit-saddr -j LOGGING
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -m limit --limit 30/min --limit-burst 10 -j ACCEPT
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -j LOGGING

But since I only add this to the iptables and not the cluster.fw think its deleted because of that, its possible to add this to cluster.fw?

 

[mrg]

ohmagic maybe iptables persistent is what your after? new to proxmox

 

[ohmagic]

ohmagic maybe iptables persistent is what your after? new to proxmox

I try that and didn't work, I ended up adding a cron after 5minutes of boot that load the iptables from a file.

 

[Mecanik]

I try that and didn't work, I ended up adding a cron after 5minutes of boot that load the iptables from a file.

Proxmox already has conntrack and syn flood protection?

Hi,

Proxmox VE has only a restriction on total traffic per VM.
But you can use hooks[1] with iptable raw commands[2].

1.) https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_hookscripts
2.) https://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html

Please give us noobs a small example how to achieve the goal with hooks (hooks[1] with iptable raw commands[2]).

Danke.

 

[Mecanik]

I managed to add the rules, but, proxmox keep deleting them on every reboot.
This is how my rule looks:

-A GROUP-global-IN -s 3.132.120.160/32 -p tcp -m tcp --dport 3306 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -s 186.22.238.43/32 -p tcp -m tcp --dport 3306 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -p tcp -m connlimit --connlimit-above 30 --connlimit-mask 32 --connlimit-saddr -j LOGGING
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -m limit --limit 30/min --limit-burst 10 -j ACCEPT
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -j LOGGING

But since I only add this to the iptables and not the cluster.fw think its deleted because of that, its possible to add this to cluster.fw?

Is the IP's (3.132.120.160/32) the Windows VM's ip's?