LXC firewall bug

F

fuomag9

New Member
Mar 17, 2023
19
1
3
Hello everyone, I believe I might have found a strange bug/issue in proxmox. I've installed proxmox on a hetzner dedicated server.
I have the following LXC:

Code: 
root@cloudino:~#  cat /etc/pve/lxc/106.conf

arch: amd64

cores: 1

features: nesting=1

hostname: vpn

memory: 512

net0: name=eth0,bridge=vmbr1,firewall=1,gw=192.168.20.0,hwaddr=BC:24:11:2A:25:45,ip=192.168.20.7/24,ip6=auto,type=veth

onboot: 0

ostype: ubuntu

rootfs: local-zfs:subvol-106-disk-0,size=4G

swap: 0

unprivileged: 1

With the following routes inside

Code: 
➜  ~ ip r
default via 192.168.20.0 dev eth0 proto static
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.7

And this is /etc/network/interfaces

Code: 
auto lo
iface lo inet loopback

iface enp41s0 inet manual

auto vmbr0
iface vmbr0 inet static
    address PUBLICIP/26
    gateway PUBLICGW
    bridge-ports enp41s0
    bridge-stp off
    bridge-fd 0
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport --dports 443,80 -j DNAT --to 192.168.20.200
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp -m multiport --dports 443,80 -j DNAT --to 192.168.20.200
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport --dports 25,465,587,143,993,110,995,4190 -j DNAT --to 192.168.20.3
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m multiport --dports 443,80 -j DNAT --to 192.168.20.200
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp -m multiport --dports 443,80 -j DNAT --to 192.168.20.200
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m multiport --dports 25,465,587,143,993,110,995,4190 -j DNAT --to 192.168.20.3




auto vmbr1
iface vmbr1 inet static
    address 192.168.20.0/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up iptables -t nat -A POSTROUTING -s '192.168.20.0/24' -o vmbr0 -j MASQUERADE && iptables -t nat -A PREROUTING -d PUBLICIP -p tcp --dport 443 -j DNAT --to 192.168.20.200:443
    post-down iptables -t nat -D POSTROUTING -s '192.168.20.0/24' -o vmbr0 -j MASQUERADE && iptables -t nat -D PREROUTING -d PUBLICIP -p tcp --dport 443 -j DNAT --to 192.168.20.200:443

If I disable the firewall from the NIC of the LXC, pinging 1.1.1.1 works, otherwise it doesn't. VMs have the same behaviour. I've tried any possible combination, but I have not managed to make this work in other ways. Does anyone have any idea about what this might be the issue?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom