proxmox firewall problem container bridges

OliverB

Active Member
Apr 22, 2016
105
3
38
25
Hello everyone,

I have a problem with the proxmox firewall. i have activated it on the proxmox host and on all containers. all works fine. one container have no public ip-adress and use the proxmox host for dns resolv (internet access). if i activated the proxmox firewall on the container i can't connect to the internet or ping the proxmox host.

if i disable the firewall on the network card from the container i have access, but if i enable the firewall on the network card of the container i have no access to the internet or can ping something.

have andybody a idea or a solutions, would be very very nice!

my config on the proxmox host:

Code:
auto vmbr1
iface vmbr1 inet static
        address  192.168.30.254
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.30.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.30.0/24' -o vmbr0 -j MASQUERADE
 

Attachments

  • fw.png
    fw.png
    6.8 KB · Views: 11

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
886
41
48
Austria
Hello everyone,

I have a problem with the proxmox firewall. i have activated it on the proxmox host and on all containers. all works fine. one container have no public ip-adress and use the proxmox host for dns resolv (internet access). if i activated the proxmox firewall on the container i can't connect to the internet or ping the proxmox host.

As soon as you activate the firewall also the host is firewalled (no incoming connection allowed), you have to allow DNS queries to it.

For details have a look with

Code:
iptables-save
 

OliverB

Active Member
Apr 22, 2016
105
3
38
25
As soon as you activate the firewall also the host is firewalled (no incoming connection allowed), you have to allow DNS queries to it.

For details have a look with

Code:
iptables-save

Hi Richard,

I enabled DNS on the containers firewall but not internet connection.. any idea?. here is my iptables-save output of my proxmox host:

Code:
# Generated by iptables-save v1.4.21 on Fri Feb 24 11:06:21 2017
*mangle
:PREROUTING ACCEPT [1598458:788253287]
:INPUT ACCEPT [730455:106125517]
:FORWARD ACCEPT [953543:686415966]
:OUTPUT ACCEPT [681854:2772537356]
:POSTROUTING ACCEPT [1487756:3451968711]
COMMIT
# Completed on Fri Feb 24 11:06:21 2017
# Generated by iptables-save v1.4.21 on Fri Feb 24 11:06:21 2017
*filter
:INPUT ACCEPT [56:3476]
:FORWARD ACCEPT [1391:71134]
:OUTPUT ACCEPT [109:13813]
:GROUP-zabbix-IN - [0:0]
:GROUP-zabbix-OUT - [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:veth100i0-IN - [0:0]
:veth100i0-OUT - [0:0]
:veth100i1-IN - [0:0]
:veth100i1-OUT - [0:0]
:veth101i0-IN - [0:0]
:veth101i0-OUT - [0:0]
:veth103i0-IN - [0:0]
:veth103i0-OUT - [0:0]
:veth103i1-IN - [0:0]
:veth103i1-OUT - [0:0]
:veth104i0-IN - [0:0]
:veth104i0-OUT - [0:0]
:veth104i1-IN - [0:0]
:veth104i1-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A GROUP-zabbix-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-zabbix-IN -s 192.168.20.103/32 -p tcp -m tcp --dport 10050 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-zabbix-IN -m comment --comment "PVESIG:MEDLxSdiZCU+dou/1h5hA9w2rCA"
-A GROUP-zabbix-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-zabbix-OUT -m comment --comment "PVESIG:p/p77dzU6ri8kbYsIOAe4Di15EU"
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:zfGV4KTPaxGVOCwRUVqqqbR0IhM"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out veth100i0 --physdev-is-bridged -j veth100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth100i1 --physdev-is-bridged -j veth100i1-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth101i0 --physdev-is-bridged -j veth101i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth103i0 --physdev-is-bridged -j veth103i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth103i1 --physdev-is-bridged -j veth103i1-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth104i0 --physdev-is-bridged -j veth104i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth104i1 --physdev-is-bridged -j veth104i1-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:HZNxylPsy1GTTlHYVyN6tdqmHxM"
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth100i0 --physdev-is-bridged -j veth100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth100i1 --physdev-is-bridged -j veth100i1-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth101i0 --physdev-is-bridged -j veth101i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth103i0 --physdev-is-bridged -j veth103i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth103i1 --physdev-is-bridged -j veth103i1-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth104i0 --physdev-is-bridged -j veth104i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth104i1 --physdev-is-bridged -j veth104i1-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:d9b5K/hgSgFRLCIEBww8bfKc+3Q"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -s 188.xxx.xxx.xxx/32 -i vmbr0 -p icmp -m icmp --icmp-type 8 -j RETURN
-A PVEFW-HOST-IN -i vmbr1 -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -i vmbr1 -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -i vmbr1 -j GROUP-zabbix-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -p tcp -m tcp --dport 443 -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -p tcp -m tcp --dport 80 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -s 188.xxx.xxx.xxx/24 -d 188.xxx.xxx.xxx/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 188.xxx.xxx.xxx/24 -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:iI6BK2T3VoaMgX6Lu6zkZ4BaKDw"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -o vmbr1 -j GROUP-zabbix-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -d 188.xxx.xxx.xxx/24 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -p udp -m addrtype --dst-type MULTICAST -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:iRHfXYzcmXM/92SBRe+E6ntTSes"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:3gYHaSHlZx5luiKyM0oCsTVaXi4"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:K9jRaFw5I2si1xj1eGi18ZF/Ng0"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:ewllejV/lK5Rjmt/E3xIODQgfYg"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:KM/fOv4KvGn8XvMqxoiRCdvlji8"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:k8rhuGB1IUidugKwAufSGGgKAZ4"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A veth100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth100i0-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth100i0-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth100i0-IN -j GROUP-zabbix-IN
-A veth100i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth100i0-IN -j PVEFW-Drop
-A veth100i0-IN -j DROP
-A veth100i0-IN -m comment --comment "PVESIG:ASOqGXujD6Y8vAXwUzdma/tRWKE"
-A veth100i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth100i0-OUT -m mac ! --mac-source 22:C0:CD:68:5D:9F -j DROP
-A veth100i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth100i0-OUT -j GROUP-zabbix-OUT
-A veth100i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth100i0-OUT -m comment --comment "PVESIG:7m08R3wKAQ1dl3Y0L15d2znyCdY"
-A veth100i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth100i1-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth100i1-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth100i1-IN -j PVEFW-Drop
-A veth100i1-IN -j DROP
-A veth100i1-IN -m comment --comment "PVESIG:3ZtEQlaMxV8e6Z6hq77XXIVR8Y4"
-A veth100i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth100i1-OUT -m mac ! --mac-source 02:00:00:EC:9C:2E -j DROP
-A veth100i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth100i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth100i1-OUT -m comment --comment "PVESIG:FkZsKWXSyTQaahydx2zy2RBkpbE"
-A veth101i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth101i0-IN -j GROUP-zabbix-IN
-A veth101i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 3306 -j ACCEPT
-A veth101i0-IN -j PVEFW-Drop
-A veth101i0-IN -j DROP
-A veth101i0-IN -m comment --comment "PVESIG:jzmSxotKUsBoGTT+sYEBhpw7Tg0"
-A veth101i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth101i0-OUT -m mac ! --mac-source 0E:0B:8C:B6:A9:6A -j DROP
-A veth101i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth101i0-OUT -j GROUP-zabbix-OUT
-A veth101i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth101i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth101i0-OUT -m comment --comment "PVESIG:YTEDb7mfiowKU3/HJFIDH7HNAfQ"
-A veth103i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth103i0-IN -j PVEFW-Drop
-A veth103i0-IN -j DROP
-A veth103i0-IN -m comment --comment "PVESIG:jgCeZ/JmYaU6/OQTFq7elRlqMhs"
-A veth103i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -m mac ! --mac-source D2:39:D2:CE:8A:2C -j DROP
-A veth103i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth103i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -m comment --comment "PVESIG:KTvhlF3cwzxbR/+gJDIuofYmvBM"
-A veth103i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth103i1-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth103i1-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth103i1-IN -j PVEFW-Drop
-A veth103i1-IN -j DROP
-A veth103i1-IN -m comment --comment "PVESIG:UAt1eaPdancchfLk3v4uwPk5A7I"
-A veth103i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth103i1-OUT -m mac ! --mac-source 02:00:00:E1:F9:0F -j DROP
-A veth103i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth103i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth103i1-OUT -m comment --comment "PVESIG:T5SgT4X7Ll+KPKTOPWONgj7F764"
-A veth104i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth104i0-IN -s 192.168.20.103/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A veth104i0-IN -s 192.168.20.103/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A veth104i0-IN -j GROUP-zabbix-IN
-A veth104i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A veth104i0-IN -j PVEFW-Drop
-A veth104i0-IN -j DROP
-A veth104i0-IN -m comment --comment "PVESIG:rh95NSlmdRXtN2PL1JGtA8Rnz80"
-A veth104i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth104i0-OUT -m mac ! --mac-source 72:F7:F8:AE:C2:6A -j DROP
-A veth104i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth104i0-OUT -j GROUP-zabbix-OUT
-A veth104i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A veth104i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth104i0-OUT -m comment --comment "PVESIG:8GgzKRh3mTanGoMwvTvRA8WFm2M"
-A veth104i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth104i1-IN -p tcp -m tcp --dport 443 -j ACCEPT
-A veth104i1-IN -p tcp -m tcp --dport 80 -j ACCEPT
-A veth104i1-IN -j PVEFW-Drop
-A veth104i1-IN -j DROP
-A veth104i1-IN -m comment --comment "PVESIG:W+agtDYo7ik4/5UqvJoW50fyKoQ"
-A veth104i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth104i1-OUT -m mac ! --mac-source 02:00:00:FC:F4:44 -j DROP
-A veth104i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth104i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth104i1-OUT -m comment --comment "PVESIG:NAVtuHVIoMZpkvtS7lD7iiGmDtM"
COMMIT
# Completed on Fri Feb 24 11:06:21 2017
# Generated by iptables-save v1.4.21 on Fri Feb 24 11:06:21 2017
*nat
:PREROUTING ACCEPT [1002324:40734578]
:INPUT ACCEPT [65004:4044450]
:OUTPUT ACCEPT [197131:22137064]
:POSTROUTING ACCEPT [968914:53156650]
-A POSTROUTING -s 192.168.20.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Fri Feb 24 11:06:21 2017
 

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
886
41
48
Austria
And which one is the container (and its interface) you wrote about?
 

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
886
41
48
Austria
First idea:

we see

Code:
-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 80 -j ACCEPT


But according to your recent post container 101 has the IP 192.168.20.101
 

OliverB

Active Member
Apr 22, 2016
105
3
38
25
First idea:

we see

Code:
-A veth101i0-IN -s 192.168.20.100/32 -p tcp -m tcp --dport 80 -j ACCEPT


But according to your recent post container 101 has the IP 192.168.20.101


I i added this rule to iptables. but if i enable the firewall on the container under the network card i have no internet connection...

any idea?
 

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
886
41
48
Austria
Trace the incoming packets from the container and consider which ones are possibly blocked by firewall:

Code:
tcpdump -e -n -i veth101i0
 

OliverB

Active Member
Apr 22, 2016
105
3
38
25
Trace the incoming packets from the container and consider which ones are possibly blocked by firewall:

Code:
tcpdump -e -n -i veth101i0


Hi,

I dump it here is the output from ping google.de

Code:
19:43:06.720990 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.39969 > 213.186.33.99.53: 60742+ A? google.de. (27)
19:43:15.510546 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.46376 > 213.186.33.99.53: 25214+ A? google.de. (27)
19:43:30.984677 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.40126 > 213.186.33.99.53: 64333+ A? google.de. (27)
19:43:33.797034 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.54752 > 213.186.33.99.53: 28834+ A? google.de. (27)

Any idea what i can do? i have only one container with no public ip-adress. this container use my proxmox host as gateway for internet access. but if i enable the firewall on the containers network card, i have no connection to the internet. i can not also ping the proxmox host.

please help
 

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
886
41
48
Austria
Hi,

I dump it here is the output from ping google.de

Code:
19:43:06.720990 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.39969 > 213.186.33.99.53: 60742+ A? google.de. (27)
19:43:15.510546 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.46376 > 213.186.33.99.53: 25214+ A? google.de. (27)
19:43:30.984677 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.40126 > 213.186.33.99.53: 64333+ A? google.de. (27)
19:43:33.797034 0e:0b:8c:b6:a9:6a > d6:71:b2:9a:38:6a, ethertype IPv4 (0x0800), length 69: 192.168.20.101.54752 > 213.186.33.99.53: 28834+ A? google.de. (27)

Any idea what i can do? i have only one container with no public ip-adress. this container use my proxmox host as gateway for internet access. but if i enable the firewall on the containers network card, i have no connection to the internet. i can not also ping the proxmox host.

please help

Not quite clear, in the first post is written "...use the proxmox host for dns resolv ...." - but the above trace shows rather an attempt to contact directly a dns in the internet. Or did you mean: the container contacts the internet via Proxmox VE as a NAT router?

Would be easier if you post the whole /etc/network/interfaces as well as the container conf file.


However: important to know that for firewalling of VM and CT ports additional bridges are created; to combine these bridges with NAT is not supported by LINUX. A possible workaround is to use for NAT an extra container.
 

t_b

New Member
Nov 4, 2015
22
2
1
@Richard Since i have the same issues it sould nearly the same like in @OliverB's case:

/etc/network/interfaces (CT)
Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 10.10.10.2
        netmask 255.255.255.0
        gateway 10.10.10.1

/etc/resolv.conf (CT)
Code:
# --- BEGIN PVE ---
search domain.tld
nameserver 80.237.x.y
nameserver 80.237.x.z
# --- END PVE ---
For sure i've tested to use 10.10.10.1 as nameserver.

The host-configuration is now exactly like in the wiki (real ip changed of corse).
 

OliverB

Active Member
Apr 22, 2016
105
3
38
25
Not quite clear, in the first post is written "...use the proxmox host for dns resolv ...." - but the above trace shows rather an attempt to contact directly a dns in the internet. Or did you mean: the container contacts the internet via Proxmox VE as a NAT router?

Would be easier if you post the whole /etc/network/interfaces as well as the container conf file.


However: important to know that for firewalling of VM and CT ports additional bridges are created; to combine these bridges with NAT is not supported by LINUX. A possible workaround is to use for NAT an extra container.


Hi,

I have configure the proxmox host for NAT https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29_with_iptables. The Proxmox Host is configure for NAT. the container use the Proxmox Host for NAT.

Any ideda?
 

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
886
41
48
Austria

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!