Problem allowing some SSH traffic through

[deang]

I have Proxmox 3.4-1 installed. I have setup networking pieces successfully, but I want to block most SSH traffic and allow a few, and have managed to block all SSH traffic instead.

On my public IPv4 interface, "vmbr0" I'm blocking everybody for SSH. This works.

What I want is for some of my private interface hosts to have ssh access to the proxmox host which is 10.2.8.1.
I would like both physical hosts on the private 10.2.8.* segment and also proxmox guest hosts on their 10.2.8.* interface.

On my private IPv4 interface for the proxmox host in the cluster.fw I tried both "vmbr1" and "eth1" without success. Nobody can get to the private 10.2.8.1 on the proxmox host. I have tried physical hosts outside of the Proxmox server, as well as guest hosts on the proxmox server. Still can't get any of them to talk SSH over the private interface of the proxmox host.

The private IPv4 range is 10.2.8.1-100.


my cluster.fw looks like this:

[OPTIONS]
# enable firewall (cluster wide setting, default is disabled)
enable: 1

[RULES]

IN SSH(ACCEPT) -i eth1 -source 10.2.8.100 # accept SSH for specific IP
#IN SSH(ACCEPT) -i vmbr1 -source 10.2.8.100 # accept SSH for specific IP
IN SSH(REJECT) -i vmbr0 # reject ssh from everybody

[group webserver]
IN ACCEPT -p tcp -dport 80
IN ACCEPT -p tcp -dport 443
IN ACCEPT -p tcp -dport 8006



pveversion -v
proxmox-ve-2.6.32: 3.3-147 (running kernel: 2.6.32-37-pve)
pve-manager: 3.4-1 (running version: 3.4-1/3f2d890e)
pve-kernel-2.6.32-37-pve: 2.6.32-147
lvm2: 2.02.98-pve4
clvm: 2.02.98-pve4
corosync-pve: 1.4.7-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.10-2
pve-cluster: 3.0-16
qemu-server: 3.3-20
pve-firmware: 1.1-3
libpve-common-perl: 3.0-24
libpve-access-control: 3.0-16
libpve-storage-perl: 3.0-31
pve-libspice-server1: 0.12.4-3
vncterm: 1.1-8
vzctl: 4.0-1pve6
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 2.1-12
ksm-control-daemon: 1.1-1
glusterfs-client: 3.5.2-1

Where do I start looking into this?
thanks -- dean

 

[wbumiller]

(...)
I would like both physical hosts on the private 10.2.8.* segment and also proxmox guest hosts on their 10.2.8.* interface.
The private IPv4 range is 10.2.8.1-100.


my cluster.fw looks like this:

(...)
[RULES]

IN SSH(ACCEPT) -i eth1 -source 10.2.8.100 # accept SSH for specific IP
(...)

This is only a single IP: 10.2.8.100. You'll need to define a network/range/cidr. Eg you said you want 10.2.8.*, which would be 10.2.8.0/24. This means from 10.2.8.0 to 10.2.8.255. If you only want the private range .1 to .100 then you can use 10.2.8.1-10.2.8.100
And if eth1 is on vmbr1, then the interface should be vmbr1.

 

[deang]

Hi Wolfgang, that helped. Using vmbr1 instead of eth1 took care of that issue. At least for external hosts on the 10.2.8.* network they can get to the proxmox host now. However, the proxmox guests still cannot get to the proxmox host. The proxmox host is 10.2.8.1 and one of the guests is 10.2.8.6.
The proxmox host settings:

vmbr1 Link encap:Ethernet HWaddr 00:16:35:7e:9a:c4
inet addr:10.2.8.1 Bcast:10.2.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:35ff:fe7e:9ac4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:103492 errors:0 dropped:0 overruns:0 frame:0
TX packets:108907 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:54781874 (52.2 MiB) TX bytes:24046560 (22.9 MiB)

The settings for the proxmox guest 10.2.8.6:

venet0:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.2.8.6 P-t-P:10.2.8.6 Bcast:10.2.255.255 Mask:255.255.0.0
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

Each of the proxmox guests behaves the same when trying to ssh to the host, connection timed out.
What am I missing on the guests?

thanks -- Dean