How to secure a Proxmox server

kbrault

Active Member
May 14, 2012
35
0
26
Hello everyone,

I am interested in getting a gateway/firewall server running on Proxmox. eth0 (vmbr0) will be the port connected to the internet. eth1 (vmbr1) will be the internal network port.

I am not sure what I need to do to make sure nothing can come in eth0 and get to the Proxmox OS without going through the gateway server. Promox should access the internet from the internal network (eth1) and also go through the gateway server.

Any help would be greatly appreciated.

Thank you,

Kevin
 

cmassoglia

New Member
Mar 4, 2012
14
0
1
Chile
Hello

you can use iptables with this simple rules


###### FROM HERE ######
#!/bin/bash
iptables -F
iptables -X
iptables -Z


###Default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

#Accept ping
iptables -A INPUT -p icmp -j ACCEPT


iptables -A INPUT -i lo -j ACCEPT


iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT

iptables -A INPUT -p tcp --dport 8006 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -i eth1 -j ACCEPT


iptables -A INPUT -i eth0 -j DROP

######## END #########

If you have a cluster, then you must open some other ports



You must adjust the rules to your infrastructure. We secured our cluster in this way (with a lot other rules to our needs).

best regards
 

allan

Member
May 6, 2012
17
0
21
Or install a virtual fw like pfsense (there are many others).

You can find good guides on this forum.
Good luck
 

kotakomputer

Active Member
May 14, 2012
370
6
38
Jakarta, Indonesia
I am interested in getting a gateway/firewall server running on Proxmox. ...
I am not sure what I need to do to make sure nothing can come in eth0 and get to the Proxmox OS without going through the gateway server. Promox should access the internet from the internal network (eth1) and also go through the gateway server.
If you want to deal with secured system then putting the firewall on Proxmox is not a good idea. You need to add a Router before, especially if you run critical system.
 

bss

New Member
Jul 8, 2011
4
0
1
If you have a cluster, then you must open some other ports
Could you please point out which ports are needed to be open?
Or is it enough to open all traffic from cluster nodes unicast IP addresses?

Best regards
Blaz
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!