Problem with iptables after update via script

f4ir · May 4, 2012

Hello,

When i used script to update proxmox from 1.9 to 2.0 I can't use chain FORWARD. I was using before the upgrade

Code:

iptables -I FORWARD -o vmbr0 -s someip -p tcp -j LOG --log-level info --log-prefix "SYN-VM101 "

and was fine. Now i can only see traffic between proxmox and kvm (I/O). When I use tcpdump he giving correct output (source ip > destination ip).

Code:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM101 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM102 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM103 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM104 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM105 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM106 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM107 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM108 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM109 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM110 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM111 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM112 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM113 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM114 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM115 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM116 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM117 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM118 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM119 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM120 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM121 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM122 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM123 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM124 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM125 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM126 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM127 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM128 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM129 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM130 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM131 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM132 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM133 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM134 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM135 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM136 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM137 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM138 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM139 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM140 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM141 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM142 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM143 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM144 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM145 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM146 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM147 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM148 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM149 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM150 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM151 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM152 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM153 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM154 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM155 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM156 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM157 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM158 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM159 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM160 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM161 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM162 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM163 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM164 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM165 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM166 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM167 '
       0        0 LOG        tcp  --  *      vmbr0   someip        0.0.0.0/0           LOG flags 0 level 6 prefix `SYN-VM168 '
       0        0 SPAM       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:587 state NEW
       0        0 SPAM       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:465 state NEW
       0        0 SPAM       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 state NEW
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-is-bridged
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
       0        0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

This is false because iptables does not count packets but traffic between in and out interface is passed.

Code:

Linux proxmox 2.6.32-11-pve #1 SMP Wed Apr 11 07:17:05 CEST 2012 x86_64 GNU/Linux
iptables v1.4.8

Thanks for any advice.

dietmar · May 4, 2012

I guess that is related to new settings in /etc/sysconf.d/pve

f4ir · May 4, 2012

Thanks for quick answer. This file and directory not exist. I checked in 1.9 and is the same situation.

Code:

proxmox:~# ls -al /etc/sysconf.d/
ls: cannot access /etc/sysconf.d/: No such file or directory

tom · May 4, 2012

see /etc/sysctl.d/pve.conf

f4ir · May 4, 2012

The first time i saw these variables for sysctl. Many thanks for help.

Search

Search

Problem with iptables after update via script

f4ir

New Member

dietmar

Proxmox Staff Member

f4ir

New Member

tom

Proxmox Staff Member

f4ir

New Member

We value your privacy