1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

proxmox 2 iptables on the host is not filtering guest anymore?

Discussion in 'Proxmox VE: Installation and configuration' started by RRJ, May 1, 2012.

  1. RRJ

    RRJ Member

    Joined:
    Apr 14, 2010
    Messages:
    245
    Likes Received:
    0
    Hey,

    In 1.x i had an iptables rules on the host machine to filter incoming and outgoing connections to my containers and kvm guests via the FORWARD table. But after 2.x upgrade this scheme is not working anymore. even if i just write i add default action to DROP in the FORWARD table, it still allows the connections.

    How can i filter all the connections from the host now? do i really have to set up iptables on every single guest os?
     
  2. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    14,151
    Likes Received:
    69
    Maybe you need to change settings in /etc/sysctl.d/pve.conf
     
  3. RRJ

    RRJ Member

    Joined:
    Apr 14, 2010
    Messages:
    245
    Likes Received:
    0
    Thank You dietmar,
    You've made my day :).
    Why do you guys decided to turn it off by default?
    What were default settings for those settings in 1.9? Just to be sure, everything is working as expected to.
    and is there a manual so i could read about all changes in 2.0 ? :)
     
    #3 RRJ, May 1, 2012
    Last edited: May 1, 2012
  4. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    14,151
    Likes Received:
    69
    It is considered a security risk.
     
  5. apmuthu

    apmuthu Member

    Joined:
    Feb 26, 2009
    Messages:
    726
    Likes Received:
    1
    FWIW:

    In ProxmoxVE v1.9 there is no /etc/sysctl.d/pve.conf file

    There is only a /etc/sysctl.d/vzctl.conf file that has the following:

    Code:
    # On Hardware Node we generally need
    # packet forwarding enabled and proxy arp disabled
    
    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.forwarding=1
    net.ipv4.conf.default.proxy_arp = 0
    
    # Enables source route verification
    net.ipv4.conf.all.rp_filter = 1
    
    # Enables the magic-sysrq key
    kernel.sysrq = 1
    
    # TCP Explict Congestion Notification
    #net.ipv4.tcp_ecn = 0
    
    # we do not want all our interfaces to send redirects
    net.ipv4.conf.default.send_redirects = 1
    net.ipv4.conf.all.send_redirects = 0
    
     
  6. RRJ

    RRJ Member

    Joined:
    Apr 14, 2010
    Messages:
    245
    Likes Received:
    0
    Could you tell me more about this risk? why and what kind of the risk?
     
  7. RRJ

    RRJ Member

    Joined:
    Apr 14, 2010
    Messages:
    245
    Likes Received:
    0
    up please
     

Share This Page