proxmox firewall problem container bridges

redjohn · Feb 21, 2017

Hello everyone,

I have a problem with the proxmox firewall. i have activated it on the proxmox host and on all containers. all works fine. one container have no public ip-adress and use the proxmox host for dns resolv (internet access). if i activated the proxmox firewall on the container i can't connect to the internet or ping the proxmox host.

if i disable the firewall on the network card from the container i have access, but if i enable the firewall on the network card of the container i have no access to the internet or can ping something.

have andybody a idea or a solutions, would be very very nice!

my config on the proxmox host:

Code:

auto vmbr1
iface vmbr1 inet static
        address  192.168.30.254
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.30.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.30.0/24' -o vmbr0 -j MASQUERADE

Richard · Feb 27, 2017

OliverB said:
Hello everyone,

I have a problem with the proxmox firewall. i have activated it on the proxmox host and on all containers. all works fine. one container have no public ip-adress and use the proxmox host for dns resolv (internet access). if i activated the proxmox firewall on the container i can't connect to the internet or ping the proxmox host.

As soon as you activate the firewall also the host is firewalled (no incoming connection allowed), you have to allow DNS queries to it.

For details have a look with

Code:

iptables-save

redjohn · Feb 27, 2017

Richard said:
As soon as you activate the firewall also the host is firewalled (no incoming connection allowed), you have to allow DNS queries to it.

For details have a look with

Code:

iptables-save

Hi Richard,

I enabled DNS on the containers firewall but not internet connection.. any idea?. here is my iptables-save output of my proxmox host:

Code:

# Generated by iptables-save v1.4.21 on Fri Feb 24 11:06:21 2017
*mangle
:PREROUTING ACCEPT [1598458:788253287]
:INPUT ACCEPT [730455:106125517]
:FORWARD ACCEPT [953543:686415966]
:OUTPUT ACCEPT [681854:2772537356]
:POSTROUTING ACCEPT [1487756:3451968711]
COMMIT
# Completed on Fri Feb 24 11:06:21 2017
# Generated by iptables-save v1.4.21 on Fri Feb 24 11:06:21 2017
*filter
:INPUT ACCEPT [56:3476]
:FORWARD ACCEPT [1391:71134]
:OUTPUT ACCEPT [109:13813]
:GROUP-zabbix-IN - [0:0]
:GROUP-zabbix-OUT - [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:veth100i0-IN - [0:0]
:veth100i0-OUT - [0:0]
:veth100i1-IN - [0:0]
:veth100i1-OUT - [0:0]
:veth101i0-IN - [0:0]
:veth101i0-OUT - [0:0]
:veth103i0-IN - [0:0]
:veth103i0-OUT - [0:0]
:veth103i1-IN - [0:0]
:veth103i1-OUT - [0:0]
:veth104i0-IN - [0:0]
:veth104i0-OUT - [0:0]
:veth104i1-IN - [0:0]
:veth104i1-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A GROUP-zabbix-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-zabbix-IN -s 192.168.20.103/32 -p tcp -m tcp --dport 10050 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-zabbix-IN -m comment --comment "PVESIG:MEDLxSdiZCU+dou/1h5hA9w2rCA"
-A GROUP-zabbix-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-zabbix-OUT -m comment --comment "PVESIG:p/p77dzU6ri8kbYsIOAe4Di15EU"
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out veth100i0 --physdev-is-bridged -j veth100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth100i1 --physdev-is-bridged -j veth100i1-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth101i0 --physdev-is-bridged -j veth101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth103i0 --physdev-is-bridged -j veth103i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth103i1 --physdev-is-bridged -j veth103i1-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth104i0 --physdev-is-bridged -j veth104i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth104i1 --physdev-is-bridged -j veth104i1-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:HZNxylPsy1GTTlHYVyN6tdqmHxM"
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth100i0 --physdev-is-bridged -j veth100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth100i1 --physdev-is-bridged -j veth100i1-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth101i0 --physdev-is-bridged -j veth101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth103i0 --physdev-is-bridged -j veth103i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth103i1 --physdev-is-bridged -j veth103i1-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth104i0 --physdev-is-bridged -j veth104i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth104i1 --physdev-is-bridged -j veth104i1-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:d9b5K/hgSgFRLCIEBww8bfKc+3Q"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -s 188.xxx.xxx.xxx/32 -i vmbr0 -p icmp -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -i vmbr1 -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -i vmbr1 -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -i vmbr1 -j GROUP-zabbix-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 188.xxx.xxx.xxx/24 -d 188.xxx.xxx.xxx/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 188.xxx.xxx.xxx/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:iI6BK2T3VoaMgX6Lu6zkZ4BaKDw"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -o vmbr1 -j GROUP-zabbix-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:iRHfXYzcmXM/92SBRe+E6ntTSes"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:K9jRaFw5I2si1xj1eGi18ZF/Ng0"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:ewllejV/lK5Rjmt/E3xIODQgfYg"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:k8rhuGB1IUidugKwAufSGGgKAZ4"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A veth100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth100i0-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth100i0-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth100i0-IN -j GROUP-zabbix-IN
-A veth100i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth100i0-IN -j PVEFW-Drop
-A veth100i0-IN -j DROP
-A veth100i0-IN -m comment --comment "PVESIG:ASOqGXujD6Y8vAXwUzdma/tRWKE"
-A veth100i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth100i0-OUT -m mac ! --mac-source 22:C0:CD:68:5D:9F -j DROP
-A veth100i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth100i0-OUT -j GROUP-zabbix-OUT
-A veth100i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth100i0-OUT -m comment --comment "PVESIG:7m08R3wKAQ1dl3Y0L15d2znyCdY"
-A veth100i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth100i1-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth100i1-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth100i1-IN -j PVEFW-Drop
-A veth100i1-IN -j DROP
-A veth100i1-IN -m comment --comment "PVESIG:3ZtEQlaMxV8e6Z6hq77XXIVR8Y4"
-A veth100i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth100i1-OUT -m mac ! --mac-source 02:00:00:EC:9C:2E -j DROP
-A veth100i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth100i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth100i1-OUT -m comment --comment "PVESIG:FkZsKWXSyTQaahydx2zy2RBkpbE"
-A veth101i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth101i0-IN -j GROUP-zabbix-IN
-A veth101i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A veth101i0-IN -j PVEFW-Drop
-A veth101i0-IN -j DROP
-A veth101i0-IN -m comment --comment "PVESIG:jzmSxotKUsBoGTT+sYEBhpw7Tg0"
-A veth101i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth101i0-OUT -m mac ! --mac-source 0E:0B:8C:B6:A9:6A -j DROP
-A veth101i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth101i0-OUT -j GROUP-zabbix-OUT
-A veth101i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth101i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth101i0-OUT -m comment --comment "PVESIG:YTEDb7mfiowKU3/HJFIDH7HNAfQ"
-A veth103i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth103i0-IN -j PVEFW-Drop
-A veth103i0-IN -j DROP
-A veth103i0-IN -m comment --comment "PVESIG:jgCeZ/JmYaU6/OQTFq7elRlqMhs"
-A veth103i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -m mac ! --mac-source D2:39:D2:CE:8A:2C -j DROP
-A veth103i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth103i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -m comment --comment "PVESIG:KTvhlF3cwzxbR/+gJDIuofYmvBM"
-A veth103i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth103i1-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth103i1-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth103i1-IN -j PVEFW-Drop
-A veth103i1-IN -j DROP
-A veth103i1-IN -m comment --comment "PVESIG:UAt1eaPdancchfLk3v4uwPk5A7I"
-A veth103i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth103i1-OUT -m mac ! --mac-source 02:00:00:E1:F9:0F -j DROP
-A veth103i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth103i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth103i1-OUT -m comment --comment "PVESIG:T5SgT4X7Ll+KPKTOPWONgj7F764"
-A veth104i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth104i0-IN -s 192.168.20.103/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A veth104i0-IN -s 192.168.20.103/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A veth104i0-IN -j GROUP-zabbix-IN
-A veth104i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth104i0-IN -j PVEFW-Drop
-A veth104i0-IN -j DROP
-A veth104i0-IN -m comment --comment "PVESIG:rh95NSlmdRXtN2PL1JGtA8Rnz80"
-A veth104i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth104i0-OUT -m mac ! --mac-source 72:F7:F8:AE:C2:6A -j DROP
-A veth104i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth104i0-OUT -j GROUP-zabbix-OUT
-A veth104i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth104i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth104i0-OUT -m comment --comment "PVESIG:8GgzKRh3mTanGoMwvTvRA8WFm2M"
-A veth104i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth104i1-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth104i1-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth104i1-IN -j PVEFW-Drop
-A veth104i1-IN -j DROP
-A veth104i1-IN -m comment --comment "PVESIG:W+agtDYo7ik4/5UqvJoW50fyKoQ"
-A veth104i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth104i1-OUT -m mac ! --mac-source 02:00:00:FC:F4:44 -j DROP
-A veth104i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth104i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth104i1-OUT -m comment --comment "PVESIG:NAVtuHVIoMZpkvtS7lD7iiGmDtM"
COMMIT
# Completed on Fri Feb 24 11:06:21 2017
# Generated by iptables-save v1.4.21 on Fri Feb 24 11:06:21 2017
*nat
:PREROUTING ACCEPT [1002324:40734578]
:INPUT ACCEPT [65004:4044450]
:OUTPUT ACCEPT [197131:22137064]
:POSTROUTING ACCEPT [968914:53156650]
-A POSTROUTING -s 192.168.20.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Fri Feb 24 11:06:21 2017

Richard · Feb 27, 2017

And which one is the container (and its interface) you wrote about?

redjohn · Feb 27, 2017

Richard said:
And which one is the container (and its interface) you wrote about?

Hi,
i wrote about container 101 with ip-adress 192.168.20.101 and mac address 0E:0B:8C:B6:A9:6A.

Richard · Feb 27, 2017

First idea:

we see

Code:

-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 80 -j ACCEPT

But according to your recent post container 101 has the IP 192.168.20.101

redjohn · Feb 27, 2017

Richard said:
First idea:

we see

Code:

-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 80 -j ACCEPT

But according to your recent post container 101 has the IP 192.168.20.101

I i added this rule to iptables. but if i enable the firewall on the container under the network card i have no internet connection...

any idea?

Richard · Feb 27, 2017

Trace the incoming packets from the container and consider which ones are possibly blocked by firewall:

Code:

tcpdump -e -n -i veth101i0

redjohn · Feb 27, 2017

Richard said:
Trace the incoming packets from the container and consider which ones are possibly blocked by firewall:

Code:

tcpdump -e -n -i veth101i0

Hi,

I dump it here is the output from ping google.de

Code:

19:43:06.720990 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.39969 > 213.186.33.99.53: 60742+ A? google.de. (27)
19:43:15.510546 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.46376 > 213.186.33.99.53: 25214+ A? google.de. (27)
19:43:30.984677 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.40126 > 213.186.33.99.53: 64333+ A? google.de. (27)
19:43:33.797034 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.54752 > 213.186.33.99.53: 28834+ A? google.de. (27)

Any idea what i can do? i have only one container with no public ip-adress. this container use my proxmox host as gateway for internet access. but if i enable the firewall on the containers network card, i have no connection to the internet. i can not also ping the proxmox host.

please help

t_b · Mar 7, 2017

@OliverB see: https://forum.proxmox.com/threads/no-connection-to-the-internet-from-container.33401/#post-164030

Richard · Mar 8, 2017

OliverB said:
Hi,

I dump it here is the output from ping google.de

Code:

19:43:06.720990 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.39969 > 213.186.33.99.53: 60742+ A? google.de. (27) 19:43:15.510546 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.46376 > 213.186.33.99.53: 25214+ A? google.de. (27) 19:43:30.984677 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.40126 > 213.186.33.99.53: 64333+ A? google.de. (27) 19:43:33.797034 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.54752 > 213.186.33.99.53: 28834+ A? google.de. (27)

Any idea what i can do? i have only one container with no public ip-adress. this container use my proxmox host as gateway for internet access. but if i enable the firewall on the containers network card, i have no connection to the internet. i can not also ping the proxmox host.

please help

Not quite clear, in the first post is written "...use the proxmox host for dns resolv ...." - but the above trace shows rather an attempt to contact directly a dns in the internet. Or did you mean: the container contacts the internet via Proxmox VE as a NAT router?

Would be easier if you post the whole /etc/network/interfaces as well as the container conf file.

However: important to know that for firewalling of VM and CT ports additional bridges are created; to combine these bridges with NAT is not supported by LINUX. A possible workaround is to use for NAT an extra container.

t_b · Mar 8, 2017

@Richard Since i have the same issues it sould nearly the same like in @OliverB's case:

/etc/network/interfaces (CT)

Code:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 10.10.10.2
        netmask 255.255.255.0
        gateway 10.10.10.1

/etc/resolv.conf (CT)

Code:

# --- BEGIN PVE ---
search domain.tld
nameserver 80.237.x.y
nameserver 80.237.x.z
# --- END PVE ---

For sure i've tested to use 10.10.10.1 as nameserver.

The host-configuration is now exactly like in the wiki (real ip changed of corse).

redjohn · Mar 8, 2017

Richard said:
Not quite clear, in the first post is written "...use the proxmox host for dns resolv ...." - but the above trace shows rather an attempt to contact directly a dns in the internet. Or did you mean: the container contacts the internet via Proxmox VE as a NAT router?

Would be easier if you post the whole /etc/network/interfaces as well as the container conf file.

However: important to know that for firewalling of VM and CT ports additional bridges are created; to combine these bridges with NAT is not supported by LINUX. A possible workaround is to use for NAT an extra container.

Hi,

I have configure the proxmox host for NAT https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables. The Proxmox Host is configure for NAT. the container use the Proxmox Host for NAT.

Any ideda?

Richard · Mar 9, 2017

OliverB said:
I have configure the proxmox host for NAT https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables.

Yes, but as mentioned: combine firewall for VMs and Containers with NAT does not work - the reason I explained in my previous post (additional bridge between VM's respectively container's NIC and the Proxmox "vmbr..." bridges) - move the NAT function into a VM or container.

Search

Search

proxmox firewall problem container bridges

redjohn

Renowned Member

Attachments

Richard

Renowned Member

redjohn

Renowned Member

Richard

Renowned Member

redjohn

Renowned Member

Richard

Renowned Member

redjohn

Renowned Member

Richard

Renowned Member

redjohn

Renowned Member

t_b

New Member

Richard

Renowned Member

t_b

New Member

redjohn

Renowned Member

Richard

Renowned Member