Simple Firewall - 1 IP for Host, 1 Bridge, 2 Guests

Eugene Piatenko

New Member
Feb 14, 2017
6
0
1
51
Please can somebody help?

I want to create a very simple configuration:

1. One IP for host, eth0 interface
2. One Bridge, vmbr1 with IP 10.0.1.1/24
3. Two VM Guests (Ubuntu-1 and Ubuntu-2):
4. Ubuntu-1 uses bridge vmbr1 and has IP 10.0.1.10, gateway 10.0.1.1
5. Ubuntu-2 uses bridge vmbr1 and has IP 10.0.1.20, gateway 10.0.1.1

So it's very simple configuration...
Everything works, I can access internet from both Ubuntu-1 and Ubuntu-2

But when I enable "Firewall" for Network interface on Ubuntu-1 for example,
I cannot get to the internet, even ping 10.0.1.1.

What could be a problem?

It's really simple configuration...

Thanks a lot for help!
Code:
auto eth0
iface eth0 inet dhcp

auto vmbr1
iface vmbr1 inet static
    address  10.0.1.1
    netmask  255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '10.0.1.0/24' -o eth0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.1.0/24' -o eth0 -j MASQUERADE
 
Please can somebody help?

I want to create a very simple configuration:

1. One IP for host, eth0 interface
2. One Bridge, vmbr1 with IP 10.0.1.1/24
3. Two VM Guests (Ubuntu-1 and Ubuntu-2):
4. Ubuntu-1 uses bridge vmbr1 and has IP 10.0.1.10, gateway 10.0.1.1
5. Ubuntu-2 uses bridge vmbr1 and has IP 10.0.1.20, gateway 10.0.1.1

So it's very simple configuration...
Everything works, I can access internet from both Ubuntu-1 and Ubuntu-2

But when I enable "Firewall" for Network interface on Ubuntu-1 for example,
I cannot get to the internet, even ping 10.0.1.1.

Default firewall INPUT policy is DROP, i.e. any incoming connection attempt (to Proxmox host) is ignored, excepted access to ssh service and WEB GUI at the main IP address. This takes already effect when you activate the firewall without any further action. For the above mentioned case e.g. you have to set for the host address 10.0.1.1 to ACCEPT.

For more details have a look by

Code:
iptables-save
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!