[SOLVED] Proxmox firewall refusing to single ban IP's over 80/443

Skyrider

Active Member
May 11, 2020
55
1
28
38
Here's my pveversion:
Code:
proxmox-ve: 7.2-1 (running kernel: 5.15.39-4-pve)
pve-manager: 7.2-7 (running version: 7.2-7/d0dd0e85)
pve-kernel-5.15: 7.2-9
pve-kernel-helper: 7.2-9
pve-kernel-5.15.39-4-pve: 5.15.39-4
pve-kernel-5.15.39-3-pve: 5.15.39-3
pve-kernel-5.15.30-2-pve: 5.15.30-3
ceph-fuse: 15.2.16-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-3
libpve-storage-perl: 7.2-8
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.5-1
proxmox-backup-file-restore: 2.2.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-5
pve-firmware: 3.5-1
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 7.0.0-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-4
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.5-pve1

So here's my problem. With tons of issues with firewall rules on single IP's, I've decided to install nginx as a reverse proxy on the main host node. I've rejected my mobile data IP which can be seen through iptables:

Code:
-A PVEFW-HOST-IN -s 89.205.139.161/32 -p tcp -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:5:PVEFW-HOST-IN: REJECT: "
-A PVEFW-HOST-IN -s 89.205.139.161/32 -p tcp -j PVEFW-reject

Now while 80/443 traffic goes through the main node/host towards containers where the web content is located, the firewall rules should still be in effect. As far as I know, all IP's goes through the node first. Yet this doesn't appear to be working. My mobile data IP address can still access the websites without being rejected. And yes, the firewall on datacenter/node and container are on.

If I remove 80/443 from being accepted on the node, all traffic is being blocked.. So that is working.. Just I can't seem to reject single IP's. Any idea as to why?

EDIT
Gotta love cloudflare for screwing up my plans.. My apologies.. behind the cloudflare DNS won't really make iptables work.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!