Network down on firewall activation - proxmox 5.3.5

rkoch

New Member
Dec 10, 2018
2
0
1
41
Hello,

I've installed proxmox 5.3.5 and I have a network connection issue when I enable the firewall on the vm network interface.

Rated SItuation:
- All firewall rules are in Allow (input and output ).
- the firewall is enabled on datacenter level, on host and on vm, but not on the network interface of the vm.
- ping to the outside ok from the vm

Problem: when I enable the firewall on the network interface (hardware -> network device -> check firewall -> ok), the vm does not ping the outside anymore.

Any idea?

Thank you!
 
question asked differently: is it possible to use the firewall when we have only one ip on the host or is it incompatible?

Network configuration :

auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
address 37.187.8.71/24
gateway 37.187.8.254
bridge-ports eno1
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet static
address 192.168.1.1
netmask 255.255.0.0
bridge-ports none
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/16' -o vmbr0 -j MASQUERADE


pve-firewall compile
ipset cmdlist:
exists PVEFW-0-management-v4 (ZROdiiw/ppy9eDTy/Ncfbc9bV40)
create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64
add PVEFW-0-management-v4 37.187.8.0/24
exists PVEFW-0-management-v6 (H5WO/Pkuyz4e7OLB2uiMpG0Bsn0)
create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64

iptables cmdlist:
exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
update PVEFW-FWBR-IN (/naDZxJ06t8Dx9DQtmus9NvdHEA)
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
update PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
exists PVEFW-HOST-IN (FlUsUWjebjseWqGVOaTOuVtpDeg)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 37.187.8.0/24 -d 37.187.8.0/24 -p udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 37.187.8.0/24 -m addrtype --dst-type MULTICAST -p udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j RETURN
exists PVEFW-HOST-OUT (EPVoljXaF7DaEGc5cuSVCNUZ72g)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 37.187.8.0/24 -p udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -m addrtype --dst-type MULTICAST -p udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)
-A PVEFW-smurflog -j DROP
exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
create tap100i0-IN (e2L5RvrrkKR1HrHStXYb+TOXDgE)
-A tap100i0-IN -p udp --sport 67 --dport 68 -j ACCEPT
-A tap100i0-IN -j ACCEPT
-A tap100i0-IN -j ACCEPT
create tap100i0-OUT (paxdHyEFpeIY8dzB4iT4gAwnoU4)
-A tap100i0-OUT -p udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK

ip6tables cmdlist:
exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)
-A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp --sport 53 -j DROP
exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)
-A PVEFW-DropBroadcast -d ff00::/8 -j DROP
exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT
update PVEFW-FWBR-IN (wjGAwD1weFxDIbPrFybsxrVCysU)
-A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN
update PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)
-A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT
exists PVEFW-HOST-IN (IRnGPwbtymw1OLOa0o5jxEsEhxA)
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -j RETURN
exists PVEFW-HOST-OUT (R+hTO16riAUExEzE7d2uOlILnzg)
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN
-A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -j RETURN
exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)
-A PVEFW-INPUT -j PVEFW-HOST-IN
exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)
-A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp --sport 53 -j DROP
exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 0x80000000/0x80000000
exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)
-A PVEFW-logflags -j DROP
exists PVEFW-reject (TeZhczhc17LK2pqE7UkGmRMJLNU)
-A PVEFW-reject -p icmpv6 -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
create tap100i0-IN (DwjZ0rBnBjHwzxRU6XzPs845ie4)
-A tap100i0-IN -p udp --sport 547 --dport 546 -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
-A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
-A tap100i0-IN -j ACCEPT
-A tap100i0-IN -j ACCEPT
create tap100i0-OUT (E8DG0pmrrv8lLF/swRASUC+Oq3s)
-A tap100i0-OUT -p udp --sport 546 --dport 547 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP
-A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000
-A tap100i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!