Iptables inside LXC container not blocking anything

R

rdpok

Member
Nov 3, 2021
10
0
6
38
I've been hitting my head to the brick wall that is iptables inside a Debian 11.3 container in Proxmox. I cannot seem to get it to block anything and there seems to be some contradicting discussions about if iptables should even work inside LXC.

I do use Proxmox firewall as well, and it is working fine, but the reason to use iptables inside a CT is because I have fail2ban & knockd there blocking certain connection attempts to that server. I suppose I could build all this to the Proxmox host itself and append its firewall rules but I really would not want to have any extra stuff running on the host. (And I can't think of a secure & reliable method to push the blocking rules created in the CT to the host firewall)

I did briefly try installing firewalld (as was suggested by apt install iptables) and that does seem to be able to block traffic, and I was even able to allow just certain kind of traffic. But even with firewalld installed the "DROP all, anywhere" rules shown by iptables do not result in any blocking. And I really would not want to try and learn yet another firewall system, and furthermore try to integrate its commands into fail2ban which has previously worked just fine with iptables.

What am I doing/thinking wrong here? :)

I can see the rules appearing in my chains, for example:

Code: 
:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain mytrap (0 references)
target     prot opt source               destination        
DROP       all  --  121.135.63.106       anywhere          
DROP       all  --  125.74.239.20        anywhere          
DROP       all  --  ip143.ip-15-204-34.us  anywhere

Code: 
:~# iptables-save
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:mytrap - [0:0]
-A mytrap -s 103.193.151.74/32 -j DROP
-A mytrap -s 121.135.63.106/32 -j DROP
-A mytrap -s 125.74.239.20/32 -j DROP
 
Last edited:
Try changing the input chain to drop, remove your mytrap, and then start poking holes in your input chain to allow the traffic you want in. Usually when you set the input chain to drop you want to start with loopback traffic allowed, conntrack traffic allowed, and whatever immediate network you need to pass through.
 
I should have maybe explained in greater detail what I’m trying to accomplish.

I want to allow traffic from everywhere on the internet (have already limited the access to http only using external fw and portforwarding) but I want to start dropping all traffic from an IP once that has fallen into my trap — by either port scanning (detected by knockd) or trying to access non-existing domains/subdirs on the webserver (fail2ban reading nginx logs). Conntrack is also triggered when IP added to ”mytrap” to drop any established connections from them.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back