Routed mode and IP tables FORWARD rules

[dbenjamin]

Hi,

I'm a devops, not so familiar with iptables, but I'm trying to learn how it works.
I know this is not the place to learn the network basics, but since my proxmox installation is concerned, maybe some of you already experienced the same.

I have a proxmox node in routed mode and with some CT's.
I also added a private network.

So, network interfaces on the node look like the following:

# network interface settings
auto lo
iface lo inet loopback


auto eth0
iface eth0 inet static
    address  XX.XX.XX.XX # public IP
    netmask  255.255.255.0
    gateway  XX.XX.XX.1
    broadcast  XX.XX.XX.255
    network XX.XX.XX.0


auto eth1
iface eth1 inet dhcp


auto vmbr0
iface vmbr0 inet static
        address 192.168.1.1
        netmask 255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0


        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o eth0 -j MASQUERADE

Then, from the proxmox GUI, I assigned two IPs to my CT, one public (FAILOVER) and one private, so its network interfaces look like:

# Auto generated lo interface
auto lo
iface lo inet loopback


# Auto generated venet0 interface
auto venet0
iface venet0 inet manual
    up ifconfig venet0 up
    up ifconfig venet0 127.0.0.2
    up route add default dev venet0
    down route del default dev venet0
    down ifconfig venet0 down


iface venet0 inet6 manual
    up route -A inet6 add default dev venet0
    down route -A inet6 del default dev venet0


auto venet0:0
iface venet0:0 inet static
    address 192.168.1.103
    netmask 255.255.255.255


auto venet0:1
iface venet0:1 inet static
    address IP_FAILOVER
    netmask 255.255.255.255

I also enabled ip forwarding (sysctl).

With this configuration, everything works well, so far so good.

Now, I want to secure a bit my node and CTs, by configuring IPTABLES on the node.

How do I set a default FORWARD DROP policy and still allow some traffic to be forwarded on the CTs ?

For instance, one of my CT is an apache webserver, so I need to allow forwarding on it on port 80.
But, whatever FORWARD rule I try to achieve this, it won't work.

My current IPTABLES (which doesn't forward traffic on port 80):

*filter


-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP


# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --dport 22 -j ACCEPT


# Proxmox
-A INPUT -p tcp --dport 8006 -j ACCEPT
-A OUTPUT -p tcp --dport 8006 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 587 -j ACCEPT


# DNS, FTP, HTTP, NTP
-A OUTPUT -p tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p udp --dport 123 -j ACCEPT


# Loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT


# Ping
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# CTs


## Websever
-A FORWARD -p tcp --dport 80 -d 192.168.1.103 -j ACCEPT
-A FORWARD -p tcp --dport 443 -d 192.168.1.103 -j ACCEPT

I need some advices please ;-)

Thanks.

Bye.

 

[PanZvedavy]

# smtp example
iptables -t nat -A PREROUTING -i $isp -p tcp -d $isp_IP --dport 25 -j DNAT --to yourIP:25
iptables -A FORWARD -i $isp -o $lan -p tcp -d yourIP --dport 25 -j ACCEPT