How to secure a Proxmox server

kbrault

Renowned Member
May 14, 2012
40
0
71
Hello everyone,

I am interested in getting a gateway/firewall server running on Proxmox. eth0 (vmbr0) will be the port connected to the internet. eth1 (vmbr1) will be the internal network port.

I am not sure what I need to do to make sure nothing can come in eth0 and get to the Proxmox OS without going through the gateway server. Promox should access the internet from the internal network (eth1) and also go through the gateway server.

Any help would be greatly appreciated.

Thank you,

Kevin
 
Hello

you can use iptables with this simple rules


###### FROM HERE ######
#!/bin/bash
iptables -F
iptables -X
iptables -Z


###Default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

#Accept ping
iptables -A INPUT -p icmp -j ACCEPT


iptables -A INPUT -i lo -j ACCEPT


iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A INPUT -m addrtype --dst-type MULTICAST -j ACCEPT

iptables -A INPUT -p tcp --dport 8006 -i eth1 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -i eth1 -j ACCEPT


iptables -A INPUT -i eth0 -j DROP

######## END #########

If you have a cluster, then you must open some other ports



You must adjust the rules to your infrastructure. We secured our cluster in this way (with a lot other rules to our needs).

best regards
 
Or install a virtual fw like pfsense (there are many others).

You can find good guides on this forum.
Good luck
 
I am interested in getting a gateway/firewall server running on Proxmox. ...
I am not sure what I need to do to make sure nothing can come in eth0 and get to the Proxmox OS without going through the gateway server. Promox should access the internet from the internal network (eth1) and also go through the gateway server.

If you want to deal with secured system then putting the firewall on Proxmox is not a good idea. You need to add a Router before, especially if you run critical system.
 
If you have a cluster, then you must open some other ports

Could you please point out which ports are needed to be open?
Or is it enough to open all traffic from cluster nodes unicast IP addresses?

Best regards
Blaz
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!