new added rules in /etc/pve/firewall/cluster.fw not working

huanghaiqing

New Member
Apr 28, 2023
3
0
1
Here I append below lines in cluster.fw, but restart pre-firewalld service doesn't help active. iptables-save shows the rules doesn't exist. What's the root cause?

root@ctc-pve01:/etc/pve/firewall# cat cluster.fw


[OPTIONS]





enable: 1


policy_out: ACCEPT


policy_in: REJECT





[RULES]





IN REJECT -i vmbr0 -dest 10.243.27.152 -p tcp -dport 22 -log nolog


IN DROP -i vmbr0 -dest 10.243.27.152 -p icmp -log nolog -icmp-type any


IN ACCEPT -i vmbr0 -dest 10.243.27.150 -p tcp -dport 22 -log nolog


IN ACCEPT -i vmbr0 -dest 10.243.27.150 -p icmp -log nolog -icmp-type any


IN ACCEPT -i vmbr0 -dest 10.243.27.150 -p tcp -dport 8006 -log nolog


IN DROP


OUT ACCEPT

################################################

root@ctc-pve01:/etc/pve/firewall# iptables-save

# Generated by iptables-save v1.8.7 on Fri May 12 17:28:56 2023

*raw

:pREROUTING ACCEPT [5237:1691169]

:OUTPUT ACCEPT [2497:1546928]

COMMIT

# Completed on Fri May 12 17:28:56 2023

# Generated by iptables-save v1.8.7 on Fri May 12 17:28:56 2023

*filter

:INPUT ACCEPT [3873:1527608]

:FORWARD ACCEPT [1174:148641]

:OUTPUT ACCEPT [2498:1547004]

:pVEFW-Drop - [0:0]

:pVEFW-DropBroadcast - [0:0]

:pVEFW-FORWARD - [0:0]

:pVEFW-FWBR-IN - [0:0]

:pVEFW-FWBR-OUT - [0:0]

:pVEFW-INPUT - [0:0]

:pVEFW-OUTPUT - [0:0]

:pVEFW-Reject - [0:0]

:pVEFW-SET-ACCEPT-MARK - [0:0]

:pVEFW-logflags - [0:0]

:pVEFW-reject - [0:0]

:pVEFW-smurflog - [0:0]

:pVEFW-smurfs - [0:0]

:pVEFW-tcpflags - [0:0]

-A INPUT -j PVEFW-INPUT

-A FORWARD -j PVEFW-FORWARD

-A OUTPUT -j PVEFW-OUTPUT

-A PVEFW-Drop -j PVEFW-DropBroadcast

-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP

-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP

-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP

-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP

-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP

-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP

-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP

-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"

-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP

-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP

-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP

-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP

-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"

-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP

-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN

-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT

-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"

-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs

-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0"

-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"

-A PVEFW-INPUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"

-A PVEFW-OUTPUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"

-A PVEFW-Reject -j PVEFW-DropBroadcast

-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP

-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject

-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject

-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject

-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject

-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP

-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP

-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"

-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000

-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"

-A PVEFW-logflags -j DROP

-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"

-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP

-A PVEFW-reject -s 224.0.0.0/4 -j DROP

-A PVEFW-reject -p icmp -j DROP

-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset

-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable

-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable

-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited

-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"

-A PVEFW-smurflog -j DROP

-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"

-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN

-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog

-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog

-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"

-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags

-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags

-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags

-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags

-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags

-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"

COMMIT

# Completed on Fri May 12 17:28:56 2023
 
These are settings showing from web.
 

Attachments

  • 截屏2023-05-12 09.33.00.png
    截屏2023-05-12 09.33.00.png
    235.6 KB · Views: 6
  • 截屏2023-05-12 09.52.10.png
    截屏2023-05-12 09.52.10.png
    268.8 KB · Views: 6
datacenter rules only apply to host firewall, not vms.

(and host firewall need to be enabled of course).

then, you should see them with iptables-save in HOST-IN / HOST-OUT rules.


if you need common rules in all your vms, you need to use security groups.
 
datacenter rules only apply to host firewall, not vms.

(and host firewall need to be enabled of course).

then, you should see them with iptables-save in HOST-IN / HOST-OUT rules.


if you need common rules in all your vms, you need to use security groups.
So if I want to reject some ports of one destination ip or ip segments based on host level, how should I realize? The destination ip or ip segment belongs to the VMs located in one host.Thx
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!