Setting up Proxmox Firewall with NAT rules - Best practices

[kamzata]

How can I use the Proxmox Firewall GUI and, at the same time, use some NAT prerouting and postrouting rules?

By the way... NAT rules must be apply just for IPv4. On IPv6 side I just need to filter some ports.

What's the best way to configure the firewall for both protocols?

 

[alexanderc]

For example:

Create new Bridge Int:

auto vmbr1
iface vmbr1 inet static
address 20.0.0.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -F

To make for example webserver available from outside you need to write:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 20.0.0.10:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 20.0.0.10:443

SSH example:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 30001 -j DNAT --to 20.0.0.10:22

The Proxmox GUI is working by default on Port 8006 means I don't see there some problems.

From Security aspect you should put the GUI inside a VPN, from there you can manage everything with routing, if the VM or LXC Container don't needs to be available from outside.

From Proxmox Firewall you should know that each change you do in V4 they automatic use even for V6 sessions by default.

I am not very good in understanding Firewall maybe someone who read this post can clarify this.

See you.

Alex

 

[kamzata]

For example:

Create new Bridge Int:

auto vmbr1
iface vmbr1 inet static
address 20.0.0.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -F

To make for example webserver available from outside you need to write:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 20.0.0.10:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 20.0.0.10:443

SSH example:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 30001 -j DNAT --to 20.0.0.10:22

The Proxmox GUI is working by default on Port 8006 means I don't see there some problems.

From Security aspect you should put the GUI inside a VPN, from there you can manage everything with routing, if the VM or LXC Container don't needs to be available from outside.

From Proxmox Firewall you should know that each change you do in V4 they automatic use even for V6 sessions by default.

I am not very good in understanding Firewall maybe someone who read this post can clarify this.

See you.

Alex

Thanks for your reply. Yeah, till now I used IPv4 and NAT, and I configured the firewall putting my rules on a file:

iptables.up.rules

#############################################################################################
*filter
#############################################################################################
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
####################

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m limit --limit 400/minute --limit-burst 1600 -j ACCEPT
-A INPUT -p icmp -m limit --limit 400/minute --limit-burst 1600 -j ACCEPT
-A INPUT -p tcp --syn -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
-A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 2000/second --limit-burst 2010 -j ACCEPT

### SSH
-A INPUT -p tcp -m tcp -m state --dport 22 --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp -m state --dport 22 --state NEW,ESTABLISHED -j ACCEPT

### PROXMOX
-A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 68 -j ACCEPT
-A INPUT -p udp -m udp --dport 68 -j ACCEPT

### HTTP and HTTPS
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

####################
COMMIT



#############################################################################################
*nat
#############################################################################################
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
####################

-A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j SNAT --to-source 51.XXX.245.61
-A POSTROUTING -s 192.168.2.0/24 -o vmbr0 -j SNAT --to-source 51.XXX.245.70

# CT1
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.61 -i vmbr0 --dport 80 -j DNAT --to-destination 192.168.1.100:80
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.61 -i vmbr0 --dport 443 -j DNAT --to-destination 192.168.1.100:443
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.61 -i vmbr0 --dport 22100 -j DNAT --to-destination 192.168.1.100:22

# CT2
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.70 -i vmbr0 --dport 80 -j DNAT --to-destination 192.168.2.100:80
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.70 -i vmbr0 --dport 443 -j DNAT --to-destination 192.168.2.100:443
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.70 -i vmbr0 --dport 22200 -j DNAT --to-destination 192.168.2.100:22

####################
COMMIT


#############################################################################################
*mangle
#############################################################################################
:PREROUTING ACCEPT [6361:22504845]
:INPUT ACCEPT [6361:22504845]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4510:394131]
:POSTROUTING ACCEPT [4510:394131]
####################


####################
COMMIT

then to apply those rules:

iptables-save < iptables.up.rules
iptables-restore < iptables.up.rules

But now I'm starting to use IPv6 so those my 2 containers (CT1 192.168.1.100 and CT2 192.168.2.100) have become directly exposed.

My thought would be roughly like this: Apply filters rules on the host using the Proxmox GUI for both IPv4 and IPv6, "join" the NAT rules, always in the host of course, like I did till now. Furthermore I need to "transfer" those filter rules to the containers for IPv6 in some way. How does it sound?