Preventing outgoing and incoming private IP traffic with exceptions

J

jsabater

Member
Oct 25, 2021
130
14
23
49
Palma, Mallorca, Spain
Hello everyone!

I have a recently created Proxmox 7 cluster made of a number of hosts. These hosts have a public IP address each and also a private IP address (192.168.1.0/24), connected via VLAN with id 4003, which is used by the hosts to talk to each other (it's the IP address I used when creating the cluster and it has entries on all /etc/hosts files).

Also the VMs will have a private network (192.168.0.0/24) via VLAN with id 4002 to communicate among themselves (e.g. web server to database server).

Now I am planning on how to configure the firewall and one of the configuration items will be preventing private traffic from going outside of the specific scope described above. Especifically, I am talking about IP subnets:
  • 169.254.0.0/16 (RFC3927)
  • 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 (RFC1918)
  • 100.64.0.0/10 (RFC6598)
Since I obviously don't want to cut traffic among hosts (192.168.1.0/24) and among guests (192.168.1.0/24), I was wondering at which level (datacenter or node) apply the rules and how to configure the rules.

At the moment I have this in mind:
  1. Allow outgoing traffic to net 192.168.0.0/24 only through interface vmbr4002 (private network for guests).
  2. Allow outgoing traffic to net 192.168.1.0/24 only through interface vmbr4003 (private network for hosts).
  3. Disallow outgoing traffic to Proxmox IP Set ipv4_private (which includes all aliases for the abovementioned private networks).
What I don't know is whether I should add these at the datacenter or at the node level. Or both. And what about the VM level?

Analogously, should I add a rule for incoming traffic among hosts for the 192.168.1.0/24 range on the vmbr4003 bridge at the datacenter level?

Finally, should I add a rule for incoming traffic among guests for the 192.168.0.0/24 at the VM level or at the datacenter level on the vmbr4002 bridge?

Thanks in advance.
 
Last edited:
Just found out and read the IP Aliases, IP Sets and Default firewall rules sections on the Proxmox VE Administration guide but on my installation (Debian Bullseye 11 with added repository, not Proxmox ISO) neither those aliases nor default rules are there.

But if I execute
Code: 
sudo iptables --list
then I can see them in the list of rules.

So the question would be, where can I see them? Where can I see the management alias? Where can I see the rule to allow traffic among hosts of the cluster? And so on.
 
Last edited:
You must log in or register to reply here.
Top Bottom