Proxmox DataCenter firewall drops udp multicast packages

mdc2023 · Mar 8, 2023

Proxmox have a default firewall rule to drop broadcast, multicast and anycast packages. I want to allow udp multicast package traffic in the Datacenter Firewall. We need the multicast udp traffic for the jboss cluster(new virtual machine in Proxmox with jboss does not work).

I have created the following rule in the GUI (this rule doesn't work):

Direction: in and out
Action: Accept
Destination: 224.0.0.0/4

Our goal is to override the default firewall rule to accept udp multicast traffic from physical applications servers running with Jboss. How can i realize that?

Thank you for your help in advance.

Richard · Mar 9, 2023

mdc2023 said:
Proxmox have a default firewall rule to drop broadcast, multicast and anycast packages. I want to allow udp multicast package traffic in the Datacenter Firewall. We need the multicast udp traffic for the jboss cluster(new virtual machine in Proxmox with jboss does not work).

I have created the following rule in the GUI (this rule doesn't work):

Direction: in and out
Action: Accept
Destination: 224.0.0.0/4

Our goal is to override the default firewall rule to accept udp multicast traffic from physical applications servers running with Jboss. How can i realize that?

Thank you for your help in advance.

Settings as described should work, for details post current settings seen by

Code:

iptables-save

mdc2023 · Mar 9, 2023

Some of the rules were created from us.

output from iptables-save:

Generated by iptables-save v1.8.7 on Thu Mar 9 13:49:54 2023
*raw

REROUTING ACCEPT [5351200316:17175971989639]
:OUTPUT ACCEPT [4457777216:25284538469093]
COMMIT
# Completed on Thu Mar 9 13:49:54 2023
# Generated by iptables-save v1.8.7 on Thu Mar 9 13:49:54 2023
*filter
:INPUT ACCEPT [432:1197987]
:FORWARD ACCEPT [6:2034]
:OUTPUT ACCEPT [477:1347122]

VEFW-Drop - [0:0]

VEFW-DropBroadcast - [0:0]

VEFW-FORWARD - [0:0]

VEFW-FWBR-IN - [0:0]

VEFW-FWBR-OUT - [0:0]

VEFW-HOST-IN - [0:0]

VEFW-HOST-OUT - [0:0]

VEFW-INPUT - [0:0]

VEFW-OUTPUT - [0:0]

VEFW-Reject - [0:0]

VEFW-SET-ACCEPT-MARK - [0:0]

VEFW-logflags - [0:0]

VEFW-reject - [0:0]

VEFW-smurflog - [0:0]

VEFW-smurfs - [0:0]

VEFW-tcpflags - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap104i0 --physdev-is-bridged -j tap104i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap104i1 --physdev-is-bridged -j tap104i1-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap106i1 --physdev-is-bridged -j tap106i1-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:7fAMtFcspUdT6WVMcG7c+LvSOGQ"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap104i0 --physdev-is-bridged -j tap104i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap104i1 --physdev-is-bridged -j tap104i1-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap106i1 --physdev-is-bridged -j tap106i1-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:1hCZIjS5AxlEAYsaPSlfwUegXHw"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -d 224.0.0.0/4 -j RETURN
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 1098 -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 1099 -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 1100:1102 -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 45566 -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 1102 -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 1101 -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 1100 -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 1099 -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 1098 -j RETURN
-A PVEFW-HOST-IN -p udp -m udp --dport 45566 -j RETURN
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -d 224.0.0.0/4 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -s 192.168.13.243/32 -d 192.168.13.242/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.14.243/32 -d 192.168.14.242/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.13.244/32 -d 192.168.13.242/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.14.244/32 -d 192.168.14.242/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.13.245/32 -d 192.168.13.242/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 192.168.14.245/32 -d 192.168.14.242/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:fCvcNGepr0JSRJy8jnaf5wSgmRc"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 224.0.0.0/4 -j RETURN
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 1098 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 1099 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 1100:1102 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 45566 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 1102 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 1101 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 1100 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 1099 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 1098 -j RETURN
-A PVEFW-HOST-OUT -p udp -m udp --dport 45566 -j RETURN
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 224.0.0.0/4 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.36.0/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.36.0/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.36.0/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 192.168.36.0/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.13.242/32 -d 192.168.13.243/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.14.242/32 -d 192.168.14.243/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.13.242/32 -d 192.168.13.244/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.14.242/32 -d 192.168.14.244/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.13.242/32 -d 192.168.13.245/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 192.168.14.242/32 -d 192.168.14.245/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:WLO2u/kIs+9XZTuIAzx+4NxFC3o"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:4

VEFW-logflags: DROP: "
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:Smp7CXnN6v4Zkr1/FLmO3GO1GDc"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:4

VEFW-smurflog: DROP: "
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:bQVwuPiu19Ro7pIJ8BC6jE6M+hg"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Thu Mar 9 13:49:54 2023

Search

Search

Proxmox DataCenter firewall drops udp multicast packages

mdc2023

New Member

Richard

Renowned Member

mdc2023

New Member