Hi, I'm kind of desperate with an IPTables issue.
I started to setup my own dedicated server which is a proxmox server. I have a pfSense VM to which all traffic is routed. I secured the LAN access by building a VPN.
Everything works great, every machine ping each other but I have ONE issue with my host : the proxmox server. I can ping it but I can't access the Proxmox web UI (port 8006) or any other port (I tried an http.server with port 8000).
Here's my script to set my iptables :
iptables -L on proxmox server (192.168.0.1)
I must have missed something but I really can't see where. Thanks
I started to setup my own dedicated server which is a proxmox server. I have a pfSense VM to which all traffic is routed. I secured the LAN access by building a VPN.
Everything works great, every machine ping each other but I have ONE issue with my host : the proxmox server. I can ping it but I can't access the Proxmox web UI (port 8006) or any other port (I tried an http.server with port 8000).
Here's my script to set my iptables :
Bash:
#!/bin/sh
# ---------
# VARIABLES
# ---------
## Proxmox bridge holding Public IP
PrxPubVBR="vmbr0"
## Proxmox bridge on VmWanNET (PFSense WAN side)
PrxVmWanVBR="vmbr1"
## Network/Mask of VmWanNET
VmWanNET="192.168.0.0/30"
## Public IP => Your own public IP address
PublicIP="1.2.3.4"
## Proxmox IP on the same network than PFSense WAN (VmWanNET)
ProxVmWanIP="192.168.0.1"
## PFSense IP used by the firewall (inside VM)
PfsVmWanIP="192.168.0.2"
# ---------------------
# CLEAN ALL & DROP IPV6
# ---------------------
### Delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
### This policy does not handle IPv6 traffic except to drop it.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# --------------
# DEFAULT POLICY
# --------------
### Block ALL !
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# ------
# CHAINS
# ------
### Creating chains
iptables -N TCP
iptables -N UDP
# UDP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# TCP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
# ------------
# GLOBAL RULES
# ------------
# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Don't break the current/active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow Ping - Comment this to return timeout to ping request
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# --------------------
# RULES FOR PrxPubVBR
# --------------------
### INPUT RULES
# ---------------
# Allow SSH server
iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport 56361 -j ACCEPT
# Allow Proxmox WebUI
#iptables -A TCP -i $PrxPubVBR -d $PublicIP -p tcp --dport 8006 -j ACCEPT
### OUTPUT RULES
# ---------------
# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT
### Proxmox Host as CLIENT
# Allow HTTP/HTTPS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 443 -j ACCEPT
# Allow DNS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p udp --dport 53 -j ACCEPT
### Proxmox Host as SERVER
# Allow SSH
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport 56361 -j ACCEPT
# Allow PROXMOX WebUI
#iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --sport 8006 -j ACCEPT
### FORWARD RULES
# ----------------
### Redirect (NAT) traffic from internet
# All tcp to PFSense WAN except 56361, 8006
iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dport 56361 -j DNAT --to $PfsVmWanIP
# All udp to PFSense WAN
iptables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $PfsVmWanIP
# Allow request forwarding to PFSense WAN interface
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p tcp -j ACCEPT
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p udp -j ACCEPT
# Allow request forwarding from LAN
iptables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT
### MASQUERADE MANDATORY
# Allow WAN network (PFSense) to use vmbr0 public adress to go out
iptables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE
#Allow WAN network (PFSense) to use vmbr1
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 8006 -j ACCEPT
# --------------------
# RULES FOR PrxVmWanVBR
# --------------------
### Allow being a client for the VMs
#iptables -A OUTPUT -o $PrxVmWanVBR -s $ProxVmWanIP -p tcp -j ACCEPT
#Debug
iptables -A OUTPUT -o vmbr1 -s 192.168.0.1 -p tcp -j LOGiptables -L on proxmox server (192.168.0.1)
Code:
Chain INPUT (policy DROP)
target prot opt source destination
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request ctstate NEW
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.0.2
ACCEPT udp -- anywhere 192.168.0.2
ACCEPT all -- 192.168.0.0/30 anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- proxhost anywhere tcp dpt:http
ACCEPT tcp -- proxhost anywhere tcp dpt:https
ACCEPT udp -- proxhost anywhere udp dpt:domain
ACCEPT tcp -- proxhost anywhere tcp spt:56361
LOG tcp -- 192.168.0.1 anywhere LOG level warning
Chain TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere proxhost tcp dpt:56361
ACCEPT tcp -- anywhere 192.168.0.1 tcp dpt:8006
Chain UDP (1 references)
target prot opt source destinationtcpdump -i vmbr1 -p tcp port 8006 sample ON PROXMOX SERVER (192.168.0.1)
Code:
21:55:20.469413 IP 192.168.0.2.19382 > 192.168.0.1.8006: Flags [S], seq 2361462968, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:56:51.271929 IP 192.168.0.2.41994 > 192.168.0.1.8006: Flags [S], seq 3056927626, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:56:51.525784 IP 192.168.0.2.61212 > 192.168.0.1.8006: Flags [S], seq 3653062990, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:56:52.279653 IP 192.168.0.2.41994 > 192.168.0.1.8006: Flags [S], seq 3056927626, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:56:52.536924 IP 192.168.0.2.61212 > 192.168.0.1.8006: Flags [S], seq 3653062990, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:56:54.293975 IP 192.168.0.2.41994 > 192.168.0.1.8006: Flags [S], seq 3056927626, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:56:54.550895 IP 192.168.0.2.61212 > 192.168.0.1.8006: Flags [S], seq 3653062990, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:56:58.308703 IP 192.168.0.2.41994 > 192.168.0.1.8006: Flags [S], seq 3056927626, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:56:58.551754 IP 192.168.0.2.61212 > 192.168.0.1.8006: Flags [S], seq 3653062990, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:57:06.313913 IP 192.168.0.2.41994 > 192.168.0.1.8006: Flags [S], seq 3056927626, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0
21:57:06.552666 IP 192.168.0.2.61212 > 192.168.0.1.8006: Flags [S], seq 3653062990, win 64240, options [mss 1361,nop,wscale 8,nop,nop,sackOK], length 0I must have missed something but I really can't see where. Thanks