Modification to Firewall don't seem to apply to VM

A

artman41

New Member
Jul 3, 2021
2
0
1
25
Hi,

So I've tried to setup the Firewall to reject all requests except ones on certain ports - those being SSH, tcp 8080 + the ports for a Java Minecraft Server

The Minecraft ports are setup as a Security Group at the Datacenter LevelScreenshot 2021-07-03 034945.jpg

The VMs Firewall config looks like this
1625280633773.png

At a VM level, the Firewall is enabled & Input Policy is set to REJECT, Output Policy is set to ACCEPT
1625280673809.png
At a Node Level, I don't have any Firewall rules setup but do have the firewall enabled
1625280701909.png
At a Datacenter Level, I don't have any Firewall rules setup but do have the firewall enabled
1625280736628.png

Trying to use Netcat to test the port forwarding (specifically tcp port 8080), I get Connection refused
1625280787639.png

Setting the Firewall Input Policy of the VM to ACCEPT though, I can connect just fine
1625280831078.png1625280844983.png

Could somebody point out where exactly I'm going wrong here? Unless I set the Input Policy to ACCEPT, I can't connect in with anything but SSH

The VM host is Fedora 34 using IPTables (Firewalld is disabled) and I've cleared the iptables configuration so that it accepts everything
1625280915984.png
 
Last edited:
Cloud it be, that your rules are not quite right? Try letting the source port unconfigured. Otherwise a client connection to port 8080 would have to use port 8080 as its source port. :)
 
  • Like
Reactions: artman41
Lorenz.S said:
Cloud it be, that your rules are not quite right? Try letting the source port unconfigured. Otherwise a client connection to port 8080 would have to use port 8080 as its source port. :)
Click to expand...
ph0x said:
The golden rule of firewall config: only set a source port if you absolutely know what you're doing. ;)
Click to expand...
Thank you so much, you two are legends - I assumed that the Source Port would be the port I connected in with & the Destination Port would be the port that VM was hit on :D
 
It is, but usually the connecting system doesn't use the well-known port of a service as source but a so-called ephemeral port, mostly 5-digit numbers.
Therefore source ports are very rare to be set.
 
  • Like
Reactions: artman41
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back