Proxmox Firewall with NAT and portforwarding.

Nicolai

New Member
Jun 1, 2019
5
0
1
18
I have a proxmox pve setup, that hosts some containers.
The PVE has 1 public IP, and everything behind it should be portforwarded.
So I setup a Linux bridge, that bridges vmbr0 to a local NAT.
Now I want to put in a few basic rules. Everything besides the Webinterface should be closed down from outside (if something really needs to be open, I will open it though).
I don't need ssh as I can get a Shell through my Provider.
I also want to forward some ports for Servers in the Network behind it.
Here comes the problem, I am not very good at networking. I have a basic understanding and that's it.
I read up a little bit about the topic, and heard a lot of stuff. For Example some people suggest not using Iptables and the Proxmox Firewall at the same time, but the Proxmox Webinterface for the Firewall seems so limited :/
there being multiple layers of firewall doesn't help it, I am so confused. Where do my rules go ? Do I first have to enable them on Datacenter and then on Node level ? The Datacenter doesn't have any specific Interfaces, so how does that work ?
Also when I setup the Datacenter wide Firewall and add rules to open up 8006, there seems to be a squid-http on port 3128 open, is that wanted/needed ?
And to add to the mess, when I setup my iptables on the node, my Container can't even talk to the internet :/ At least not outwards.

Can someome give me a crash course, would be nice :D
 

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
741
26
28
Austria
I have a proxmox pve setup, that hosts some containers.
The PVE has 1 public IP, and everything behind it should be portforwarded.
So I setup a Linux bridge, that bridges vmbr0 to a local NAT.
Now I want to put in a few basic rules. Everything besides the Webinterface should be closed down from outside (if something really needs to be open, I will open it though).
I don't need ssh as I can get a Shell through my Provider.
I also want to forward some ports for Servers in the Network behind it.
Here comes the problem, I am not very good at networking. I have a basic understanding and that's it.
I read up a little bit about the topic, and heard a lot of stuff. For Example some people suggest not using Iptables and the Proxmox Firewall at the same time, but the Proxmox Webinterface for the Firewall seems so limited :/
Not true. You can use Proxmox firewall and any "manual" iptables setting in parallel. Proxmox is able to distinguish "manaul" and "Proxmox driven" settings from each other.

there being multiple layers of firewall doesn't help it, I am so confused. Where do my rules go ? Do I first have to enable them on Datacenter and then on Node level ? The Datacenter doesn't have any specific Interfaces, so how does that work ?
Datacenter settings are in principle nothing else than the same settings for each node (you may have in a cluster). If you specify an interface which does not exist in a certain node iptables is set there but will not have any effect.
Also when I setup the Datacenter wide Firewall and add rules to open up 8006, there seems to be a squid-http on port 3128 open, is that wanted/needed ?
No, but there is a macro called squid which has this effect.
And to add to the mess, when I setup my iptables on the node, my Container can't even talk to the internet :/ At least not outwards.
So something has been set in the firewall which does not allow it. Check your settings!
 

Nicolai

New Member
Jun 1, 2019
5
0
1
18
Not true. You can use Proxmox firewall and any "manual" iptables setting in parallel. Proxmox is able to distinguish "manaul" and "Proxmox driven" settings from each other.


Datacenter settings are in principle nothing else than the same settings for each node (you may have in a cluster). If you specify an interface which does not exist in a certain node iptables is set there but will not have any effect.

No, but there is a macro called squid which has this effect.

So something has been set in the firewall which does not allow it. Check your settings!
Thanks for your answer, I kinda figured most of it out by now.
Good to know, that you can mix iptables and Proxmox firewall.
The "No Internet on Vms" came from me turning on their firewall in Proxmox for the vms (Stupid me)
I never started anything with Squid, how could I disable this ? :)
 

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
741
26
28
Austria
I never started anything with Squid, how could I disable this ? :)

squid itself is not installed in Proxmoy by default. If you installed it (accidentally) remove it by
Code:
apt remove squid
If you have activated just the respective firewall macro remove it in the web GUI (<node> -> Firewall -> Remove )
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!