[SOLVED] PVE Firewall ignores traffic from public IP

Suertzz

Member
Jan 4, 2021
13
3
8
Hello,

I use the firewall built into Proxmox which is great.

On the private network (172.16.10.x ) the firewall works and blocks what is not explicitly opened (Input Policy: DROP, OUTPUT Policy: ACCEPT), but when I use a public IP, the firewall totally ignores the rules and all traffic on the pub-ip goes unrestricted (but the private IP is still filtered).

Here is my network configuration on the VM side :
Code:
admin@vm:~$ cat /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 172.16.10.11/24
        dns-nameservers 172.16.10.25 1.1.1.1

auto eth0.100
iface eth0.100 inet static
        address 201.40.31.7/32
        gateway 201.40.31.28

For example, if I install a webserver and listen on both 201.40.31.7:80 and 172.16.10.11:80, If I dont allow HTTP traffic on the proxmox firewall, it will not work on private ip (wich is great!) but on the public ip, whatever the setting is, it will ignore the firewall and work in any case :(

PVE nodes does not have public IPs, only private IPs (172.16.10.x), every node use a gateway on the private network (172.16.10.25) to reach internet.
All VMs have a private IP (172.16.10.x), and some have a public IP.

Private IP is on the VLAN 50
Public IP are on the VLAN 100

The firewall is activated cluster-wide, on each host and on each VM (and on the network card of the vm ofc!)

Code:
pve-firewall status
Status: enabled/running

Image collée à 2021-2-10 23-47.png

Image collée à 2021-2-10 23-49.png

Image collée à 2021-2-10 23-53.png

I also tried to put INPUT Policy: DROP and OUTPUT Policy: DROP, the trafic is dropped on the private network, but the public still ip pass through.

Did i forget something ?

I hope somebody can help me!

Regards
 
Where do you set the FW rules for the VM? Whatever is set on the Datacenter and node level should only affect the node (iptables INPUT) and what is configured on the guest should only affect the guest (iptables FORWARD)
 
Where do you set the FW rules for the VM? Whatever is set on the Datacenter and node level should only affect the node (iptables INPUT) and what is configured on the guest should only affect the guest (iptables FORWARD)

Thank you for your quick reply.

I put the rules at the VM level, here are the screenshot of my settings :

1737WWPaq0.png

1738Iz5Dwh.png

The INPUT Policy does drop the INPUT trafic from the internal network (172.16.10.x), but the public IP I assigned inside the VM does not seem to be affected by the firewall.

Regards
 
Hi,

in the VM you have you interfaces, eth0 and eth0.100, right? Can you try to create secondary interface in PVE for this VM, and pass the VLAN on it, so the VM will have eth0 and eth1, without vlans on it?
 
  • Like
Reactions: Suertzz
Hi,

in the VM you have you interfaces, eth0 and eth0.100, right? Can you try to create secondary interface in PVE for this VM, and pass the VLAN on it, so the VM will have eth0 and eth1, without vlans on it?

Thanks you for your answer, that solved my problem! :D
 
Hi,

I have the same problem. Why vlan interfaces do not fall under the firewall rules?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!