[Solved] Help with Firewall blocking access from virtual ethernet devices

[auser]

TLDR: this is NOT about not being able to access PXVE from external SSH client.
This is asking how to stop Firewall from blocking accesses to a local virtual ethernet device, which it happens I am accessing _from_ a local tun device which is the exit of an ssh point-to-point encrypted IP tunnel.

Apologies post is slightly long, but it could also be a good guide to ssh access to web GUI for newbies.

Some background.
I have fully working GUI and ssh access to my PXVE development server on the LAN here beside me.
As intermediate steps I first setup simple SSH access:

GUI accessible via
'firefox --url=https://192.168.5.252:8006'

I had setup access to web GUI via ssh port forward:

# temporary. use an external interface to proxy via ssh
Host deb82_pe
        Hostname 192.168.11.138
        Port 22
        User root
        LocalForward localhost:18006 192.168.11.138:8006
        LocalForward localhost:3128 192.168.11.138:3128
        LocalForward localhost:61000 192.168.11.138:61000

GUI accessible via
'firefox --url=https://127.0.0.1:18006'

Then I had set up a virtual ethernet dummy inteface on the server

root@deb82:~# cat /etc/network/interfaces.d/dummy0
auto dummy0
iface dummy0 inet static
        address 10.255.0.1
        netmask 255.0.0.0
        bridge_ports none

access to web GUI via ssh (PXVE listening on a local virtual interface dummy0)

Host deb82_p
        Hostname 192.168.11.138
        Port 22
        User root
        LocalForward localhost:18006 10.255.0.1:8006
        LocalForward localhost:3128 10.255.0.1:3128
        LocalForward localhost:61000 10.255.0.1:61000

Those were intermediate steps on the way to setting up a tun device that sshd could use:

root@deb82:~# cat /etc/network/interfaces.d/tun0
auto tun0
iface tun0 inet manual
  tunctl_user ssh
  up ifconfig tun0 promisc arp 0.0.0.0 up

[user@k8 ~]$ sudo ssh -l root -o Tunnel=point-to-point -w any:0 192.168.11.138

root@deb82:~# ip addr | egrep -A 2 '^[[:digit:]]+:[[:space:]]+tun[[:digit:]]+:[[:space:]]+'
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.0.10.1/8 scope global tun0

after adding ip addresses and checking routing etc.
I can access the web gui on PXVE using the encrypted tunnel thus:


GUI accessible via
'firefox --url=https://10.255.0.1:8006'


So far all is good.
I have a 10.0.0.0/8 encrypted network that I can use for administration.


Now I try to use the Proxmox Firewall and stuffs begins to confuse me.
I attempted to follow along according to the documentation.
https://pve.proxmox.com/wiki/Proxmox_VE_Firewall#WebUI_Configuration

I am familiar with iptables for many years, but when I cannot make firewall do what I want
I think to return it to disabled, and thus restore my access, but this does not happen.

Reload the firewall settings to activate any changes.
Server View / NodeName / Services Tab / pve-firewall Restart

But now my access to dummy0 10.255.0.1 _from_ tun0 is filtered
whereas access to dummy0 from 127.0.0.1 still works.

root@deb82:~# nmap -S 127.0.0.1 -T4 -Pn -p 22,111,3128,5900,8006,61000 10.255.0.1

Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-14 11:46 BST
Nmap scan report for 10.255.0.1
Host is up (0.000018s latency).
PORT      STATE    SERVICE
22/tcp    open     ssh
111/tcp   open     rpcbind
3128/tcp  open     squid-http
5900/tcp  filtered vnc
8006/tcp  open     unknown
61000/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 14.38 seconds
root@deb82:~#

root@deb82:~# nmap  -e tun0 -T4 -Pn -p 22,111,3128,5900,8006,61000 10.255.0.1

Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-14 11:47 BST
Nmap scan report for 10.255.0.1
Host is up (0.00083s latency).
PORT      STATE    SERVICE
22/tcp    filtered ssh
111/tcp   filtered rpcbind
3128/tcp  filtered squid-http
5900/tcp  filtered vnc
8006/tcp  filtered unknown
61000/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 13.28 seconds
root@deb82:~#

p.s. I took screenshots but forum no let me upload them.

$ ls -lGh
total 424K
-rw-rw-r-- 1 colin 218K Sep 14 12:07 deb82_Datacentre_Firewall_Rules.png
-rw-rw-r-- 1 colin 203K Sep 14 12:10 deb82_Firewall_Rules.png

root@deb82:~# cat /etc/pve/firewall/cluster.fw
[OPTIONS]

enable: 1
policy_in: ACCEPT

[RULES]

OUT ACCEPT -i dummy0 -dest 192.168.0.0/16 -p tcp
IN ACCEPT -i dummy0 -source 192.168.0.0/16 -p tcp
IN ACCEPT -i dummy0 -source 10.0.0.0/8 -p tcp
OUT ACCEPT -i dummy0 -dest 10.0.0.0/8 -p tcp
IN ACCEPT -i tun0 -source 192.168.0.0/16 -p tcp
OUT ACCEPT -i tun0 -dest 192.168.0.0/16 -p tcp
OUT ACCEPT -i tun0 -dest 10.0.0.0/8 -p tcp
IN ACCEPT -i tun0 -source 10.0.0.0/8 -p tcp
|IN ACCEPT -i dummy0 -p tcp -dport 61000
|IN ACCEPT -i dummy0 -p tcp -dport 3128
|IN ACCEPT -i dummy0 -p tcp -dport 8006
|IN ACCEPT -i vmbr1 -p tcp -dport 8006
|IN ACCEPT -i vmbr1 -p tcp -dport 22
IN ACCEPT -i eth1 -dest 192.168.5.252 -p tcp -dport 22
IN ACCEPT -i eth0 -dest 192.168.11.138 -p tcp -dport 22

root@deb82:~# cat /etc/pve/nodes/deb82/host.fw
[OPTIONS]

enable: 1
log_level_in: debug
log_level_out: debug

[RULES]

OUT ACCEPT -i dummy0 -dest 192.168.0.0/16 -p tcp
IN ACCEPT -i dummy0 -source 192.168.0.0/16 -p tcp
OUT ACCEPT -i tun0 -dest 192.168.0.0/16 -p tcp
IN ACCEPT -i tun0 -source 192.168.0.0/16 -p tcp
OUT ACCEPT -i dummy0 -dest 10.0.0.0/8 -p tcp
IN ACCEPT -i dummy0 -source 10.0.0.0/8 -p tcp
OUT ACCEPT -i tun0 -dest 10.0.0.0/8 -p tcp
IN ACCEPT -i tun0 -source 10.0.0.0/8 -p tcp
IN ACCEPT -i eth0 -source 192.168.0.0/16 -p tcp

 

[manu]

If you're familiar whith iptables, iptables-save should give the ruleset generated by the pve-firewall service.
BTW why do you want to tunnel the http connection to PVE ( note the absence of X in the product name
Isn't HTTPS enough ?