I've been hitting my head to the brick wall that is iptables inside a Debian 11.3 container in Proxmox. I cannot seem to get it to block anything and there seems to be some contradicting discussions about if iptables should even work inside LXC.
I do use Proxmox firewall as well, and it is working fine, but the reason to use iptables inside a CT is because I have fail2ban & knockd there blocking certain connection attempts to that server. I suppose I could build all this to the Proxmox host itself and append its firewall rules but I really would not want to have any extra stuff running on the host. (And I can't think of a secure & reliable method to push the blocking rules created in the CT to the host firewall)
I did briefly try installing firewalld (as was suggested by apt install iptables) and that does seem to be able to block traffic, and I was even able to allow just certain kind of traffic. But even with firewalld installed the "DROP all, anywhere" rules shown by iptables do not result in any blocking. And I really would not want to try and learn yet another firewall system, and furthermore try to integrate its commands into fail2ban which has previously worked just fine with iptables.
What am I doing/thinking wrong here?
I can see the rules appearing in my chains, for example:
	
	
	
		
	
	
	
		
				
			I do use Proxmox firewall as well, and it is working fine, but the reason to use iptables inside a CT is because I have fail2ban & knockd there blocking certain connection attempts to that server. I suppose I could build all this to the Proxmox host itself and append its firewall rules but I really would not want to have any extra stuff running on the host. (And I can't think of a secure & reliable method to push the blocking rules created in the CT to the host firewall)
I did briefly try installing firewalld (as was suggested by apt install iptables) and that does seem to be able to block traffic, and I was even able to allow just certain kind of traffic. But even with firewalld installed the "DROP all, anywhere" rules shown by iptables do not result in any blocking. And I really would not want to try and learn yet another firewall system, and furthermore try to integrate its commands into fail2ban which has previously worked just fine with iptables.
What am I doing/thinking wrong here?

I can see the rules appearing in my chains, for example:
		Code:
	
	:~# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
Chain mytrap (0 references)
target     prot opt source               destination        
DROP       all  --  121.135.63.106       anywhere          
DROP       all  --  125.74.239.20        anywhere          
DROP       all  --  ip143.ip-15-204-34.us  anywhere
		Code:
	
	:~# iptables-save
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:mytrap - [0:0]
-A mytrap -s 103.193.151.74/32 -j DROP
-A mytrap -s 121.135.63.106/32 -j DROP
-A mytrap -s 125.74.239.20/32 -j DROP
			
				Last edited: 
				
		
	
										
										
											
	
										
									
								 
	