This post was born from a my incorrect evaluation. See Proxmox4 and Knockd
How to enable ping to a specific vmbr ?
This is my /etc/network/interfaces
And this is my /etc/pve/firewall/cluster.fw
But seems doesn't work. Still ICMP in drop state, where I'm wrong, please?
How to enable ping to a specific vmbr ?
This is my /etc/network/interfaces
Code:
auto lo
iface lo inet loopback
auto vmbr0
iface vmbr0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.254
bridge_ports eth0
bridge_stp off
bridge_fd 0
auto vmbr1
iface vmbr1 inet static
address xxx.11.2.1
netmask 255.255.255.248
bridge_ports eth1
bridge_stp off
bridge_fd 0
auto vmbr2
iface vmbr2 inet static
address 192.168.0.254
netmask 255.255.255.0
bridge_ports eth2
bridge_stp off
bridge_fd 0
post-up iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE
post-up iptables -A FORWARD -i vmbr0 -o vmbr2 -m state --state RELATED,ESTABLISHED -j ACCEPT
post-up iptables -A FORWARD -i vmbr2 -o vmbr0 -j ACCEPTAnd this is my /etc/pve/firewall/cluster.fw
Code:
[OPTIONS]
enable: 1
[RULES]
IN ACCEPT -i vmbr1 -dest xxx.11.2.1 -p icmpBut seems doesn't work. Still ICMP in drop state, where I'm wrong, please?
Code:
iptables -L |grep icmp
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
RETURN icmp -- anywhere host1-2-static.11-xxx-x.xxx.xxx.xx
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
[B]DROP icmp -- anywhere anywhere [/B]
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Last edited: