Hi,
I'm banging my head on this and slightly frustrating / so I wonder if I can ask for someone who is very happy with Iptables fun to comment possibly.
I've got a host with is running on OVH-SYS hosting, proxmox install template (is basically a Debian stock / SW raid / with proxmox added to debian - OVH template does all that work). Out of the box it has no firewall enabled.
Typically I add config so that I've got a private local interface bridge which VMs can bind to with a private network range (192.168.95.0/24 in this case is the private range)
I setup NAT for outbound for the VMs / they use the IP of the proxmox bridge interface (192.168.95.1 in this case) as their gateway.
To allow inbound connections I have straightforward rules in iptables to allow inbound forwarding to suitable guest. In this case I've got inbound 80 and 443 ports for an nginx proxy. Not a lot else.
Fail2ban is installed on the proxmox host from stock debian apt-get to give some baseline protection to inbound ssh script-kiddies pounding the server
so far for this box, I didn't lock down firewall any further.
Today I thought it would be good to try to change setup so that
- default inbound policy is drop, not accept
- allow only designated ports
- I tried opening SSH (tcp 22) plus ports for proxmox remote admin (tcp 8006 plus tcp 3128 for spice plus tcp range 5900:5999 for VNC Consoles)
- endpoint from this is that SSH was fine. but web-admin gives me 'connection timeout' errors and fails to load
I'm a bit baffled, as docs tell me that 8006 should be all I need to get web-admin really working. I don't use spice, and VNC should not be needed unless I open a console in theory.
My 'before' IPtables status prior to making any config change was thus:
and then I added in some new allow rules:
and then after that my iptables summary looked like this,
So, in this state
I have SSH access ok
WebAdmin Proxmox is busted
once I change default inbound policy back,
iptables -P INPUT ACCEPT
proxmox webUI resumes working
but this is not really what I'm hoping for as the endpoint.
can someone see what obvious thing I am missing and give me a gentle hint-poke ?
thanks,
Tim
I'm banging my head on this and slightly frustrating / so I wonder if I can ask for someone who is very happy with Iptables fun to comment possibly.
I've got a host with is running on OVH-SYS hosting, proxmox install template (is basically a Debian stock / SW raid / with proxmox added to debian - OVH template does all that work). Out of the box it has no firewall enabled.
Typically I add config so that I've got a private local interface bridge which VMs can bind to with a private network range (192.168.95.0/24 in this case is the private range)
I setup NAT for outbound for the VMs / they use the IP of the proxmox bridge interface (192.168.95.1 in this case) as their gateway.
To allow inbound connections I have straightforward rules in iptables to allow inbound forwarding to suitable guest. In this case I've got inbound 80 and 443 ports for an nginx proxy. Not a lot else.
Fail2ban is installed on the proxmox host from stock debian apt-get to give some baseline protection to inbound ssh script-kiddies pounding the server
so far for this box, I didn't lock down firewall any further.
Today I thought it would be good to try to change setup so that
- default inbound policy is drop, not accept
- allow only designated ports
- I tried opening SSH (tcp 22) plus ports for proxmox remote admin (tcp 8006 plus tcp 3128 for spice plus tcp range 5900:5999 for VNC Consoles)
- endpoint from this is that SSH was fine. but web-admin gives me 'connection timeout' errors and fails to load
I'm a bit baffled, as docs tell me that 8006 should be all I need to get web-admin really working. I don't use spice, and VNC should not be needed unless I open a console in theory.
My 'before' IPtables status prior to making any config change was thus:
Code:
root@proxbox:~# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.95.221 tcp dpt:http state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.95.221 tcp dpt:https state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (2 references)
target prot opt source destination
REJECT all -- 121.5.188.180 anywhere reject-with icmp-port-unreachable
REJECT all -- 68.183.150.202 anywhere reject-with icmp-port-unreachable
REJECT all -- 81.70.143.188 anywhere reject-with icmp-port-unreachable
REJECT all -- 128.199.109.177 anywhere reject-with icmp-port-unreachable
REJECT all -- 206.189.36.195 anywhere reject-with icmp-port-unreachable
REJECT all -- 1.15.220.145 anywhere reject-with icmp-port-unreachable
REJECT all -- 45.249.245.181 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhereand then I added in some new allow rules:
Code:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8006 -j ACCEPT
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -p tcp --dport 5900:5999 -j ACCEPTand then after that my iptables summary looked like this,
Code:
root@proxbox:~# iptables -P INPUT DROP
root@proxbox:~# iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:8006
ACCEPT tcp -- anywhere anywhere tcp dpt:3128
ACCEPT tcp -- anywhere anywhere tcp dpts:5900:5999
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.95.221 tcp dpt:http state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 192.168.95.221 tcp dpt:https state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (2 references)
target prot opt source destination
REJECT all -- 221.131.165.23 anywhere reject-with icmp-port-unreachable
REJECT all -- 45.249.245.181 anywhere reject-with icmp-port-unreachable
REJECT all -- 81.70.143.188 anywhere reject-with icmp-port-unreachable
REJECT all -- 68.183.150.202 anywhere reject-with icmp-port-unreachable
REJECT all -- 1.15.220.145 anywhere reject-with icmp-port-unreachable
REJECT all -- 128.199.109.177 anywhere reject-with icmp-port-unreachable
REJECT all -- 206.189.36.195 anywhere reject-with icmp-port-unreachable
REJECT all -- 218.92.0.184 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
root@proxbox:~#So, in this state
I have SSH access ok
WebAdmin Proxmox is busted
once I change default inbound policy back,
iptables -P INPUT ACCEPT
proxmox webUI resumes working
but this is not really what I'm hoping for as the endpoint.
can someone see what obvious thing I am missing and give me a gentle hint-poke ?
thanks,
Tim
