ipfiltering

[Ben McGuire]

Can someone please shed some light on ipfiltering.

My understanding is that if we turn on ipfiltering in the firewall options we need to add the VM IP address so that traffic is only allowed to/from that ip. Is this correct?

One thing we need clarification on is how is this setup? We read the guide https://pve.proxmox.com/wiki/Proxmox_VE_Firewall

but this does not state a lot. In order to get the ipfiltering working do we need to create an IPSET using the name' ipfilter' ? Is this name specific to allow ipfiltering?

Also will this prevent ip spoofing as we have had issues with this in the past.
If someone could explain the simple setup for ipfiltering so that we only allow traffic for the single ip assigned to the VM.

Thanks

 

[dietmar]

The link you posted was outdated, please see https://pve.proxmox.com/wiki/Firewall

 

[Ben McGuire]

Thank you for the guide. It is similar to the previous one.
It is not clear on how we configure ipfiltering.
Do we just create an IPSET named 'ipfiler-net0' and then add the VM ip address that used the net0 interface ?
The guide does not explicitly state that it needs to be named a certain way.
My understanding is the IPSET rules need to be named as per the guide such as 'management' 'blacklists' 'ipfilter-net0' ect Is this correct?
A simple example would be great.

 

[wbumiller]

Yes, the idea is that if you use the expected name you don't have to manually include a rule for it in the firewall's rules section, they're picked up automatically. Also, with containers, since there you can configure addresses via the GUI, an ipset named `ipfilter-net0` will implicitly contain the IP address you configure on net0 as well as the corresponding IPv6 link-local address derived from the interface's MAC address (required for NDP to work).

 

[Ben McGuire]

Yes, the idea is that if you use the expected name you don't have to manually include a rule for it in the firewall's rules section, they're picked up automatically. Also, with containers, since there you can configure addresses via the GUI, an ipset named `ipfilter-net0` will implicitly contain the IP address you configure on net0 as well as the corresponding IPv6 link-local address derived from the interface's MAC address (required for NDP to work).

Thank you for that clarification.
Lastly thing
For KVM ipfiltering then I would add the name ipfiltering-net0 ( or eth0 ) in the IPSET field under firewall and just for KVM VM's I need to add the VM's IP address beside the IPSET ipfiltering-net0 field for it to work??

 

[wbumiller]

Yes, since you cannot configure IP addresses for KVMs you have to add them to the ipset.

 

[Ben McGuire]

Excellent.. Thank you

 

[Ben McGuire]

Yes, since you cannot configure IP addresses for KVMs you have to add them to the ipset.

Well I ran a test but it appears that IPSET is not working. I setup as instructed and put a IP address that is NOT the IP of the VM but the VM could still access the internet. I did look at the config and there was a 0 beside the enable like you can see in the attached screenshot so I changed it to 1 to see if it made any difference - it didnt. I rebooted twice.
From the config can you see what I am doing wrong?
It is a VM host

 

[Rudo]

When I tested this (quite some time ago already, maybe things have changed) I found that IPSET did block outbound traffic from the the "rogue" IP on the VM. However inbound traffic to that IP still worked (found an old post on the topic: http://pve.proxmox.com/pipermail/pve-user/2015-February/008328.html stating only outbound traffic is blocked). I wrote it off as the firewall being stateful with inbound traffic and worked around it as follows:

[OPTIONS]

log_level_in: nolog
log_level_out: nolog
enable: 1
policy_in: ACCEPT
macfilter: 1

[IPSET ipfilter-net0] # only allow specified IPs on net0

10.10.10.200

[RULES]

IN ACCEPT -dest 10.10.10.200
IN DROP

Also make sure you enable the firewall on the VM network device (https://pve.proxmox.com/wiki/Firewall)