I want to isolate some machines from all the others in the cluster, having them only accessible from the internet. So I have set up some rules to attempt to achieve this, but they either appear to be ignored or I'm doing something wrong.
+internet_access is defined is follows:
+other_tenants is defines are follows:
So the first rule will allow traffic OUT from the gateway.
The second rule blocks traffic to any LAN (192.168.131.0/24) destination
The third rule block IN traffic from any LAN (192.168.131.0/24) source
However, if ping this VM (192.168.131.183) from 192.168.131.160 the traffic is allowed
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 76:88:bc:dd:f9:ef brd ff:ff:ff:ff:ff:ff
inet 192.168.131.160/24 brd 192.168.131.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::7488:bcff:fedd:f9ef/64 scope link
valid_lft forever preferred_lft forever
# ping 192.168.131.183
PING 192.168.131.168 (192.168.131.183) 56(84) bytes of data.
64 bytes from 192.168.131.183: icmp_seq=1 ttl=64 time=0.110 ms
64 bytes from 192.168.131.183: icmp_seq=2 ttl=64 time=0.367 ms
^C
--- 192.168.131.183 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1025ms
rtt min/avg/max/mdev = 0.110/0.238/0.367/0.129 ms
What do I do wrong? The firewall service is enabled as per this post: https://forum.proxmox.com/threads/firewall-gui-rule-activation.76384/#post-339802
+internet_access is defined is follows:
+other_tenants is defines are follows:
So the first rule will allow traffic OUT from the gateway.
The second rule blocks traffic to any LAN (192.168.131.0/24) destination
The third rule block IN traffic from any LAN (192.168.131.0/24) source
However, if ping this VM (192.168.131.183) from 192.168.131.160 the traffic is allowed
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 76:88:bc:dd:f9:ef brd ff:ff:ff:ff:ff:ff
inet 192.168.131.160/24 brd 192.168.131.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::7488:bcff:fedd:f9ef/64 scope link
valid_lft forever preferred_lft forever
# ping 192.168.131.183
PING 192.168.131.168 (192.168.131.183) 56(84) bytes of data.
64 bytes from 192.168.131.183: icmp_seq=1 ttl=64 time=0.110 ms
64 bytes from 192.168.131.183: icmp_seq=2 ttl=64 time=0.367 ms
^C
--- 192.168.131.183 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1025ms
rtt min/avg/max/mdev = 0.110/0.238/0.367/0.129 ms
What do I do wrong? The firewall service is enabled as per this post: https://forum.proxmox.com/threads/firewall-gui-rule-activation.76384/#post-339802
Attachments
Last edited: