Hello, I'm having some slight problems with the firewall setup.
Soon I'll be moving my dedi to colocation where I'll have only one IP address, so in preparations for that I created two additional virtual interfaces (in total 3) and migrated all VMs to them.
One of the VMs will be used as a proxy for everything - basically all traffic that should be ever able to get through the firewall should be forwarded directly to that VM (which will serve as reverse HTTP(S) proxy for the proxmox UI and many other systems and as an SSH proxy.
Everything up until now works fine, until I started setting up firewall rules. First I tried allowing all traffic with firewall enabled.
And, lo and behold, i get locked out. (unlocking myself out by manually editing the file (/etc/pve/firewall/cluster.fw) and reloading the firewall ( # iptables-save && pve-firewall status && iptables-save )
Even with both, IN and OUT, policies being set to ACCEPT I get locked out.
Are there any known mistakes that I could have made?
Kind regards, Aljaz S.
Soon I'll be moving my dedi to colocation where I'll have only one IP address, so in preparations for that I created two additional virtual interfaces (in total 3) and migrated all VMs to them.
Code:
auto lo
iface lo inet loopback
iface enp3s0f0 inet manual
iface enp3s0f1 inet manual
iface enp4s0f0 inet manual
iface enp4s0f1 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.1.101
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
bridge-ports enp3s0f0
bridge-stp off
bridge-fd 0
auto vmbr1
iface vmbr1 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
# 80 & 443 -> 1052 Centos7-proxy
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.10.10.52:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.10.10.52:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.10.10.52:443
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.10.10.52:443
# 22 -> 152 Centos7-proxy
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 22 -j DNAT --to 10.10.10.52:22
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 22 -j DNAT --to 10.10.10.52:22
auto vmbr2
iface vmbr2 inet static
address 10.10.20.1
netmask 255.255.255.0
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.10.20.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.10.20.0/24' -o vmbr0 -j MASQUERADEOne of the VMs will be used as a proxy for everything - basically all traffic that should be ever able to get through the firewall should be forwarded directly to that VM (which will serve as reverse HTTP(S) proxy for the proxmox UI and many other systems and as an SSH proxy.
Everything up until now works fine, until I started setting up firewall rules. First I tried allowing all traffic with firewall enabled.
Code:
root@apollo:~# cat /etc/pve/firewall/cluster.fw
[OPTIONS]
policy_in: ACCEPT
enable: 1
[IPSET subnet10]
10.10.10.0/24 # The 10.10.10.0/24 subnet
[IPSET subnet20]
10.10.20.0/24 # The 10.10.20.0/24 subnet
root@apollo:~#Even with both, IN and OUT, policies being set to ACCEPT I get locked out.
Are there any known mistakes that I could have made?
Kind regards, Aljaz S.
Last edited: