How to? - Limit IP connection through proxmox firewall

O

ohmagic

New Member
Jul 27, 2020
8
0
1
63
Hi guys, new in proxmox.
I would like to know if there is a way to simulate Iptables connlimit on proxmox firewall. Since im using windows vm and need to apply some rules like that to stop some DoS attacks. For example, limit 20 connections/20seconds and add some allowed ip to
Couldn't figured out how to make iptables applied to host impact on vm machines.

Sorry for the noobish, new in this enviroment (whole, dedicated, linux, etc).
Thanks.
 
I managed to add the rules, but, proxmox keep deleting them on every reboot.
This is how my rule looks:

-A GROUP-global-IN -s 3.132.120.160/32 -p tcp -m tcp --dport 3306 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -s 186.22.238.43/32 -p tcp -m tcp --dport 3306 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -p tcp -m connlimit --connlimit-above 30 --connlimit-mask 32 --connlimit-saddr -j LOGGING
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -m limit --limit 30/min --limit-burst 10 -j ACCEPT
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -j LOGGING

But since I only add this to the iptables and not the cluster.fw think its deleted because of that, its possible to add this to cluster.fw?
 
ohmagic maybe iptables persistent is what your after? new to proxmox
 
ohmagic said:
I try that and didn't work, I ended up adding a cron after 5minutes of boot that load the iptables from a file.
Click to expand...

Proxmox already has conntrack and syn flood protection?

wolfgang said:
Hi,

Proxmox VE has only a restriction on total traffic per VM.
But you can use hooks[1] with iptable raw commands[2].

1.) https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_hookscripts
2.) https://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
Click to expand...

Please give us noobs a small example how to achieve the goal with hooks (hooks[1] with iptable raw commands[2]).

Danke.
 
ohmagic said:
I managed to add the rules, but, proxmox keep deleting them on every reboot.
This is how my rule looks:

-A GROUP-global-IN -s 3.132.120.160/32 -p tcp -m tcp --dport 3306 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -s 186.22.238.43/32 -p tcp -m tcp --dport 3306 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-global-IN -p tcp -m connlimit --connlimit-above 30 --connlimit-mask 32 --connlimit-saddr -j LOGGING
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -m limit --limit 30/min --limit-burst 10 -j ACCEPT
-A GROUP-global-IN -p tcp -m conntrack --ctstate NEW -j LOGGING

But since I only add this to the iptables and not the cluster.fw think its deleted because of that, its possible to add this to cluster.fw?
Click to expand...
Is the IP's (3.132.120.160/32) the Windows VM's ip's?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back