Proxmox Firewall - Input Policy DROP useless?

M

mscd

Member
Proxmox Subscriber
Jan 25, 2021
30
0
11
Hello together,

I am new to Proxmox VE. At the moment I am playing around with a Proxmox VE installation hosted on a Hetzner dedicated server. For security reasons I enabled the PVE firewall at database and node level. At database level the default Input Policy is „DROP“.

At node level I checked iptables (compare image below) ... and at the moment, I am not able to understand the meaning of the first line in the PVEFW-HOST-IN chain. Why is there an “accept all“ target at the beginning of the chain ... this seems to be counterintuitive for me, considering the default Input Policy „DROP“?

Best regards,
mscd

D2DE7958-62D0-4498-BC62-58908A2842D8.jpeg
 
Last edited:
Hello,

thank you for your reply ... i think the argument „different chains“ is not the solution to my question.
Lets have another look to „iptables -nvL“ (on the pve node):

1.) A packet traversing the chain INPUT first goes to PVEFW-INPUT ... from there directly to PVEFW-HOST-IN.

2.) The solution to my inital question seems (for me), that the first „accept all“ line in PVEFW-HOST-IN only matches to „in = lo“ ... therefore only incomming packets to the local interface are getting allways accepted. I didn‘t see that by using „iptables -L“ (above).

Is this correct?

Best regards,
mscd

CF78AF2B-6CF4-4921-99A4-7BCD7D10EAD1.jpegFA55DFDE-81D2-4661-88EB-174714EEFE5F.jpegE611C9CF-DC5A-4CCC-BB1E-826E2D2AB567.jpeg
 
mscd said:
2.) The solution to my inital question seems (for me), that the first „accept all“ line in PVEFW-HOST-IN only matches to „in = lo“ ... therefore only incomming packets to the local interface are getting allways accepted. I didn‘t see that by using „iptables -L“ (above).
Click to expand...
sounds right :)

In general it's always helpful to inspect iptables output via iptables -nvL - or even iptables-save - only there you get the complete picture...

Apart from that it's also a good idea to check if the rules work - by using tcpdump and sending packets which should get dropped (and ones that should get accepted)

I hope this helps!
 
  • Like
Reactions: Alwin Antreich
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom