IPTables rules per guest VM

[Mecanik]

Hi,

After checking quite a few articles found here and on some other websites, it's still not clear for me how one can add custom IPTables rules for each VM.

Checking the current host with just one VM at the moment I can see:

-A tap100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap100i0-IN -p tcp -m tcp --dport 3389 -j ACCEPT
-A tap100i0-IN -j PVEFW-Drop
-A tap100i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":100:2:tap100i0-IN: policy DROP: "
-A tap100i0-IN -j DROP
-A tap100i0-IN -m comment --comment "PVESIG:X9me+QsGh3gkShtIhRe+kX6u6C8"
-A tap100i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source 02:00:00:b8:c0:61 -j DROP
-A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v4 src -j DROP
-A tap100i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m comment --comment "PVESIG:B7SW/N0NBq1SWwxVvMqCv/VauJA"

With that being said, how can one add rules per VM? For example, I would like to add:

/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

For this one VM only and add different rules for other VM's.

Please advise, thanks.

 

[shrdlicka]

Hi,

why would you want to use the mangle table for this?

The other thing if you follow this line that jumps to PVEFW-Drop

-A tap100i0-IN -j PVEFW-Drop

It should already drop packets with an invalid conntrack state

-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP

-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"

What else would you like to add?

 

[Mecanik]

Hi,

why would you want to use the mangle table for this?

The other thing if you follow this line that jumps to PVEFW-Drop

-A tap100i0-IN -j PVEFW-Drop

It should already drop packets with an invalid conntrack state

-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP

-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"

What else would you like to add?

Thank you for replying. Apologies, I`m quite new to using IPTables like this, always had some sort of "web manager" for this purpose.

The idea is to add specific rules per VM, because they will run different apps that require protection. Like RDP, SQL, etc. Ideally would be best per VM, so I don't affect the whole node with these rules.

I would like to add rules like the following:

### 8: Limit connections per source IP ### 
/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  

### 10: Limit new TCP connections per second per source IP ### 
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 
/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP 

### SSH brute-force protection, rdp, etc ### 
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 
/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

### Protection against port scanning ###
/sbin/iptables -N port-scanning
/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
/sbin/iptables -A port-scanning -j DROP

To have an added layer of security against some basic DDoS and brute-force script kids. The hosting company will filter the "bulk" of the DDoS, but still some low end / or layer 7 style attacks come through.

Really appreciate your advice, and sure many others do as well!

 

[shrdlicka]

I don't think you can write this into our config files, they only support a limited subset for creating rules. For example, the function that parses the firewall config files for a VM (which can be found under /etc/pve/firewall/[vmid].fw) only supports to read some options [1] in sub parse_fw_rule.

If you need more complex firewall rules, it is recommended to use a dedicated firewall for this.

 

[Mecanik]

I don't think you can write this into our config files, they only support a limited subset for creating rules. For example, the function that parses the firewall config files for a VM (which can be found under /etc/pve/firewall/[vmid].fw) only supports to read some options [1] in sub parse_fw_rule.

If you need more complex firewall rules, it is recommended to use a dedicated firewall for this.

I see, so there is no way to add rules/VM.

What about this: https://git.proxmox.com/?p=pve-docs...ed59e36f6a2314ebd637c8eb9da66b30418e9;hb=HEAD ?

 

[Mecanik]

Just an update, I managed to do exactly what I needed. It is possible to add rules per guest and do whatever you need to do

 

[hvisage]

Thank you for replying. Apologies, I`m quite new to using IPTables like this, always had some sort of "web manager" for this purpose.

The idea is to add specific rules per VM, because they will run different apps that require protection. Like RDP, SQL, etc. Ideally would be best per VM, so I don't affect the whole node with these rules.

Why not put a firewall (like pfSense) in the path between the internet and the VMs/LXCs ?
that way you can even have each VM on it's own VLAN/network, and have a "decent" GUI/WebUI to do the needed filterings
PVE's firewall isn't meant for this type of filtering, more like a broad stroke limitations than fine grained network ACLs

 

[Mecanik]

Why not put a firewall (like pfSense) in the path between the internet and the VMs/LXCs ?
that way you can even have each VM on it's own VLAN/network, and have a "decent" GUI/WebUI to do the needed filterings
PVE's firewall isn't meant for this type of filtering, more like a broad stroke limitations than fine grained network ACLs

Because using a single VM with pfSense for many VM's is not ideal, it cannot handle that much PPS when under attack. If it was a separate dedicated server only for pfSense, sure.

 

[hvisage]

You might be surprised and if the performance is really the problem, then do it in the LXC/VM's nftables yourself

 

[hvisage]

Do not pre-maturely optimize, and a hypervisor is not your firewall, and never should be.
When doing the firewall for all, it is easier with the bigger hosting companies that does MAC bindings - been there, got the scarrs - the firewall solved the problems all at once - than to manage it on all VMs/LXCs, and you have a "natural" load balancer ready to roll and you can have east-west seperation as an encore.
Only once that firewall (and here I mean the # of cores to do the threat handling from the network with the logging and other CISO/SecOpsDev stuff exceeds the hypervisor cores) you should revisit the idea of the performance.