proxmox 4 firewall problem internet access

redjohn

Well-Known Member
Apr 22, 2016
132
4
58
27
Hello everyone,

I have a problem with the proxmox firewall. i have activated it on the proxmox host and on all containers. all works fine. one container have no public ip-adress and use the proxmox host for dns resolv (internet access) i create a vmbr adapter for this with 192.168..... network. the gateway if my proxmox host. if i activated the proxmox firewall on the container i can't connect to the internet or ping the proxmox host.

if i disable the firewall on the network card from the container i have access. so why is proxmox blocking my access to the internet? default outgoing policy is ACCEPT. is there something to do in iptables?

have andybody a idea or a solutions, would be very very nice!

my config on the proxmox host:

Code:
auto vmbr1
iface vmbr1 inet static
        address  192.168.30.254
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.30.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.30.0/24' -o vmbr0 -j MASQUERADE
 

Attachments

  • fw.png
    fw.png
    6.8 KB · Views: 6
If nobody else helps with your problem, I would recommend to use proxmox firewall only for the proxmox host itself.
All the containers should use their own private firewalls.
 
I use proxmox firewalls on all containers. on all container it works fine. only one container have no public ip-adress only a internal ip-adress (192.168.... vmbr adapter on the proxmox host.) if i enable there the firewall i have no access to some outside services. is there anything that is must configure in iptables; for proxmox firewall and masquerade to use the proxmox host as internet gateway?
 


Hello Wolfgang,

thanks for your reply. i use your article and configure my container with the iptables. but if i enabled the firewall on the network card (see attached screenshot), i can't ping e.g. google.de or the proxmox host. if the firewall on the network card is enabled if have no outgoing connection.

any idea why? or can it not use the proxmox firewall on containers with no public ip? the container have only a internal ip-adress and use my proxmox host as gateway.
 

Attachments

  • fw2.png
    fw2.png
    24.9 KB · Views: 4
Can you please send the output of
'iptables-save'
 
Can you please send the output of
'iptables-save'


Hello wolfgang,

sure output of iptables-save is:

Code:
# Generated by iptables-save v1.6.0 on Fri Feb 24 10:57:00 2017
*mangle
:PREROUTING ACCEPT [5:279]
:INPUT ACCEPT [5:279]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:642]
:POSTROUTING ACCEPT [11:642]
COMMIT
# Completed on Fri Feb 24 10:57:00 2017
# Generated by iptables-save v1.6.0 on Fri Feb 24 10:57:00 2017
*filter
:INPUT ACCEPT [5:279]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11:642]
COMMIT
# Completed on Fri Feb 24 10:57:00 2017
# Generated by iptables-save v1.6.0 on Fri Feb 24 10:57:00 2017
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [3:180]
:POSTROUTING ACCEPT [3:180]
COMMIT
# Completed on Fri Feb 24 10:57:00 2017

attached you find a screenshot of my proxmox firewall config! the container use the vmbr1 bridge on my proxmox host to connect to the internet.
 

Attachments

  • fw3.png
    fw3.png
    10.5 KB · Views: 3
  • fw4.png
    fw4.png
    4.7 KB · Views: 2
  • fw5.png
    fw5.png
    21.9 KB · Views: 2
I was not precise.
I meant iptables-save from the PVE-host not form the Container.
 
I was not precise.
I meant iptables-save from the PVE-host not form the Container.

here is my output of iptables-save:

Code:
# Generated by iptables-save v1.4.21 on Fri Feb 24 11:06:21 2017
*mangle
:PREROUTING ACCEPT [1598458:788253287]
:INPUT ACCEPT [730455:106125517]
:FORWARD ACCEPT [953543:686415966]
:OUTPUT ACCEPT [681854:2772537356]
:POSTROUTING ACCEPT [1487756:3451968711]
COMMIT
# Completed on Fri Feb 24 11:06:21 2017
# Generated by iptables-save v1.4.21 on Fri Feb 24 11:06:21 2017
*filter
:INPUT ACCEPT [56:3476]
:FORWARD ACCEPT [1391:71134]
:OUTPUT ACCEPT [109:13813]
:GROUP-zabbix-IN - [0:0]
:GROUP-zabbix-OUT - [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:veth100i0-IN - [0:0]
:veth100i0-OUT - [0:0]
:veth100i1-IN - [0:0]
:veth100i1-OUT - [0:0]
:veth101i0-IN - [0:0]
:veth101i0-OUT - [0:0]
:veth103i0-IN - [0:0]
:veth103i0-OUT - [0:0]
:veth103i1-IN - [0:0]
:veth103i1-OUT - [0:0]
:veth104i0-IN - [0:0]
:veth104i0-OUT - [0:0]
:veth104i1-IN - [0:0]
:veth104i1-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A GROUP-zabbix-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-zabbix-IN -s 192.168.20.103/32 -p tcp -m tcp --dport 10050 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-zabbix-IN -m comment --comment "PVESIG:MEDLxSdiZCU+dou/1h5hA9w2rCA"
-A GROUP-zabbix-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-zabbix-OUT -m comment --comment "PVESIG:p/p77dzU6ri8kbYsIOAe4Di15EU"
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out veth100i0 --physdev-is-bridged -j veth100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth100i1 --physdev-is-bridged -j veth100i1-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth101i0 --physdev-is-bridged -j veth101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth103i0 --physdev-is-bridged -j veth103i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth103i1 --physdev-is-bridged -j veth103i1-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth104i0 --physdev-is-bridged -j veth104i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth104i1 --physdev-is-bridged -j veth104i1-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:HZNxylPsy1GTTlHYVyN6tdqmHxM"
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth100i0 --physdev-is-bridged -j veth100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth100i1 --physdev-is-bridged -j veth100i1-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth101i0 --physdev-is-bridged -j veth101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth103i0 --physdev-is-bridged -j veth103i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth103i1 --physdev-is-bridged -j veth103i1-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth104i0 --physdev-is-bridged -j veth104i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth104i1 --physdev-is-bridged -j veth104i1-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:d9b5K/hgSgFRLCIEBww8bfKc+3Q"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -s 188.xxx.xxx.xxx/32 -i vmbr0 -p icmp -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -i vmbr1 -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -i vmbr1 -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -i vmbr1 -j GROUP-zabbix-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 188.xxx.xxx.xxx/24 -d 188.xxx.xxx.xxx/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 188.xxx.xxx.xxx/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:iI6BK2T3VoaMgX6Lu6zkZ4BaKDw"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -o vmbr1 -j GROUP-zabbix-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:iRHfXYzcmXM/92SBRe+E6ntTSes"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:K9jRaFw5I2si1xj1eGi18ZF/Ng0"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:ewllejV/lK5Rjmt/E3xIODQgfYg"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:k8rhuGB1IUidugKwAufSGGgKAZ4"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A veth100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth100i0-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth100i0-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth100i0-IN -j GROUP-zabbix-IN
-A veth100i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth100i0-IN -j PVEFW-Drop
-A veth100i0-IN -j DROP
-A veth100i0-IN -m comment --comment "PVESIG:ASOqGXujD6Y8vAXwUzdma/tRWKE"
-A veth100i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth100i0-OUT -m mac ! --mac-source 22:C0:CD:68:5D:9F -j DROP
-A veth100i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth100i0-OUT -j GROUP-zabbix-OUT
-A veth100i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth100i0-OUT -m comment --comment "PVESIG:7m08R3wKAQ1dl3Y0L15d2znyCdY"
-A veth100i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth100i1-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth100i1-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth100i1-IN -j PVEFW-Drop
-A veth100i1-IN -j DROP
-A veth100i1-IN -m comment --comment "PVESIG:3ZtEQlaMxV8e6Z6hq77XXIVR8Y4"
-A veth100i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth100i1-OUT -m mac ! --mac-source 02:00:00:EC:9C:2E -j DROP
-A veth100i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth100i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth100i1-OUT -m comment --comment "PVESIG:FkZsKWXSyTQaahydx2zy2RBkpbE"
-A veth101i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth101i0-IN -j GROUP-zabbix-IN
-A veth101i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A veth101i0-IN -j PVEFW-Drop
-A veth101i0-IN -j DROP
-A veth101i0-IN -m comment --comment "PVESIG:jzmSxotKUsBoGTT+sYEBhpw7Tg0"
-A veth101i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth101i0-OUT -m mac ! --mac-source 0E:0B:8C:B6:A9:6A -j DROP
-A veth101i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth101i0-OUT -j GROUP-zabbix-OUT
-A veth101i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth101i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth101i0-OUT -m comment --comment "PVESIG:YTEDb7mfiowKU3/HJFIDH7HNAfQ"
-A veth103i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth103i0-IN -j PVEFW-Drop
-A veth103i0-IN -j DROP
-A veth103i0-IN -m comment --comment "PVESIG:jgCeZ/JmYaU6/OQTFq7elRlqMhs"
-A veth103i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -m mac ! --mac-source D2:39:D2:CE:8A:2C -j DROP
-A veth103i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth103i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -m comment --comment "PVESIG:KTvhlF3cwzxbR/+gJDIuofYmvBM"
-A veth103i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth103i1-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth103i1-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth103i1-IN -j PVEFW-Drop
-A veth103i1-IN -j DROP
-A veth103i1-IN -m comment --comment "PVESIG:UAt1eaPdancchfLk3v4uwPk5A7I"
-A veth103i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth103i1-OUT -m mac ! --mac-source 02:00:00:E1:F9:0F -j DROP
-A veth103i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth103i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth103i1-OUT -m comment --comment "PVESIG:T5SgT4X7Ll+KPKTOPWONgj7F764"
-A veth104i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth104i0-IN -s 192.168.20.103/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A veth104i0-IN -s 192.168.20.103/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A veth104i0-IN -j GROUP-zabbix-IN
-A veth104i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth104i0-IN -j PVEFW-Drop
-A veth104i0-IN -j DROP
-A veth104i0-IN -m comment --comment "PVESIG:rh95NSlmdRXtN2PL1JGtA8Rnz80"
-A veth104i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth104i0-OUT -m mac ! --mac-source 72:F7:F8:AE:C2:6A -j DROP
-A veth104i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth104i0-OUT -j GROUP-zabbix-OUT
-A veth104i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth104i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth104i0-OUT -m comment --comment "PVESIG:8GgzKRh3mTanGoMwvTvRA8WFm2M"
-A veth104i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth104i1-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth104i1-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth104i1-IN -j PVEFW-Drop
-A veth104i1-IN -j DROP
-A veth104i1-IN -m comment --comment "PVESIG:W+agtDYo7ik4/5UqvJoW50fyKoQ"
-A veth104i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth104i1-OUT -m mac ! --mac-source 02:00:00:FC:F4:44 -j DROP
-A veth104i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth104i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth104i1-OUT -m comment --comment "PVESIG:NAVtuHVIoMZpkvtS7lD7iiGmDtM"
COMMIT
# Completed on Fri Feb 24 11:06:21 2017
# Generated by iptables-save v1.4.21 on Fri Feb 24 11:06:21 2017
*nat
:PREROUTING ACCEPT [1002324:40734578]
:INPUT ACCEPT [65004:4044450]
:OUTPUT ACCEPT [197131:22137064]
:POSTROUTING ACCEPT [968914:53156650]
-A POSTROUTING -s 192.168.20.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Fri Feb 24 11:06:21 2017
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!