Preventing outgoing and incoming private IP traffic with exceptions

jsabater

Member
Oct 25, 2021
102
7
23
48
Palma, Mallorca, Spain
Hello everyone!

I have a recently created Proxmox 7 cluster made of a number of hosts. These hosts have a public IP address each and also a private IP address (192.168.1.0/24), connected via VLAN with id 4003, which is used by the hosts to talk to each other (it's the IP address I used when creating the cluster and it has entries on all /etc/hosts files).

Also the VMs will have a private network (192.168.0.0/24) via VLAN with id 4002 to communicate among themselves (e.g. web server to database server).

Now I am planning on how to configure the firewall and one of the configuration items will be preventing private traffic from going outside of the specific scope described above. Especifically, I am talking about IP subnets:
  • 169.254.0.0/16 (RFC3927)
  • 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 (RFC1918)
  • 100.64.0.0/10 (RFC6598)
Since I obviously don't want to cut traffic among hosts (192.168.1.0/24) and among guests (192.168.1.0/24), I was wondering at which level (datacenter or node) apply the rules and how to configure the rules.

At the moment I have this in mind:
  1. Allow outgoing traffic to net 192.168.0.0/24 only through interface vmbr4002 (private network for guests).
  2. Allow outgoing traffic to net 192.168.1.0/24 only through interface vmbr4003 (private network for hosts).
  3. Disallow outgoing traffic to Proxmox IP Set ipv4_private (which includes all aliases for the abovementioned private networks).
What I don't know is whether I should add these at the datacenter or at the node level. Or both. And what about the VM level?

Analogously, should I add a rule for incoming traffic among hosts for the 192.168.1.0/24 range on the vmbr4003 bridge at the datacenter level?

Finally, should I add a rule for incoming traffic among guests for the 192.168.0.0/24 at the VM level or at the datacenter level on the vmbr4002 bridge?

Thanks in advance.
 
Last edited:
Just found out and read the IP Aliases, IP Sets and Default firewall rules sections on the Proxmox VE Administration guide but on my installation (Debian Bullseye 11 with added repository, not Proxmox ISO) neither those aliases nor default rules are there.

But if I execute
Code:
sudo iptables --list
then I can see them in the list of rules.

So the question would be, where can I see them? Where can I see the management alias? Where can I see the rule to allow traffic among hosts of the cluster? And so on.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!