[SOLVED] Rules don't have the desired effect

lifeboy

Renowned Member
I want to isolate some machines from all the others in the cluster, having them only accessible from the internet. So I have set up some rules to attempt to achieve this, but they either appear to be ignored or I'm doing something wrong.

1600863908140.png

+internet_access is defined is follows:

1600863962357.png

+other_tenants is defines are follows:

1600864009528.png

So the first rule will allow traffic OUT from the gateway.
The second rule blocks traffic to any LAN (192.168.131.0/24) destination
The third rule block IN traffic from any LAN (192.168.131.0/24) source

However, if ping this VM (192.168.131.183) from 192.168.131.160 the traffic is allowed
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 76:88:bc:dd:f9:ef brd ff:ff:ff:ff:ff:ff
inet 192.168.131.160/24 brd 192.168.131.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::7488:bcff:fedd:f9ef/64 scope link
valid_lft forever preferred_lft forever
# ping 192.168.131.183
PING 192.168.131.168 (192.168.131.183) 56(84) bytes of data.
64 bytes from 192.168.131.183: icmp_seq=1 ttl=64 time=0.110 ms
64 bytes from 192.168.131.183: icmp_seq=2 ttl=64 time=0.367 ms
^C
--- 192.168.131.183 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1025ms
rtt min/avg/max/mdev = 0.110/0.238/0.367/0.129 ms


What do I do wrong? The firewall service is enabled as per this post: https://forum.proxmox.com/threads/firewall-gui-rule-activation.76384/#post-339802
 

Attachments

  • 1600864321857.png
    1600864321857.png
    28.7 KB · Views: 8
Last edited:
Hi,

ping is an arp package and this is at layer 2 and not on layer 3.
You can use arptables for this.
But this has to be manually configured.
 
I don't know what you exactly mean. Can you give a reference to this
specific protocol test for ICMP packets in iptables

But I guess it is related to ICMP tunnel that uses IP for the tunnel.
 
yes because the ping command uses both icmp and ip header
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!