question asked differently: is it possible to use the firewall when we have only one ip on the host or is it incompatible?
Network configuration :
auto lo
iface lo inet loopback
iface eno1 inet manual
auto vmbr0
iface vmbr0 inet static
address 37.187.8.71/24
gateway 37.187.8.254
bridge-ports eno1
bridge-stp off
bridge-fd 0
auto vmbr1
iface vmbr1 inet static
address 192.168.1.1
netmask 255.255.0.0
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE
pve-firewall compile
ipset cmdlist:
exists PVEFW-0-management-v4 (ZROdiiw/ppy9eDTy/Ncfbc9bV40)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-management-v4 37.187.8.0/24
exists PVEFW-0-management-v6 (H5WO/Pkuyz4e7OLB2uiMpG0Bsn0)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64
iptables cmdlist:
exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
update PVEFW-FWBR-IN (/naDZxJ06t8Dx9DQtmus9NvdHEA)
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
update PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
exists PVEFW-HOST-IN (FlUsUWjebjseWqGVOaTOuVtpDeg)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 37.187.8.0/24 -d 37.187.8.0/24 -p udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 37.187.8.0/24 -m addrtype --dst-type MULTICAST -p udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j RETURN
exists PVEFW-HOST-OUT (EPVoljXaF7DaEGc5cuSVCNUZ72g)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -m addrtype --dst-type MULTICAST -p udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
-A PVEFW-smurflog -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
create tap100i0-IN (e2L5RvrrkKR1HrHStXYb+TOXDgE)
-A tap100i0-IN -p udp --sport 67 --dport 68 -j ACCEPT
-A tap100i0-IN -j ACCEPT
-A tap100i0-IN -j ACCEPT
create tap100i0-OUT (paxdHyEFpeIY8dzB4iT4gAwnoU4)
-A tap100i0-OUT -p udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
ip6tables cmdlist:
exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
-A PVEFW-DropBroadcast -d ff00::/8 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
update PVEFW-FWBR-IN (wjGAwD1weFxDIbPrFybsxrVCysU)
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
update PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
exists PVEFW-HOST-IN (IRnGPwbtymw1OLOa0o5jxEsEhxA)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -j RETURN
exists PVEFW-HOST-OUT (R+hTO16riAUExEzE7d2uOlILnzg)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (TeZhczhc17LK2pqE7UkGmRMJLNU)
-A PVEFW-reject -p icmpv6 -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
create tap100i0-IN (DwjZ0rBnBjHwzxRU6XzPs845ie4)
-A tap100i0-IN -p udp --sport 547 --dport 546 -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap100i0-IN -j ACCEPT
-A tap100i0-IN -j ACCEPT
create tap100i0-OUT (E8DG0pmrrv8lLF/swRASUC+Oq3s)
-A tap100i0-OUT -p udp --sport 546 --dport 547 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK