[SOLVED] Strange behaviour

LnxBil

LnxBil

Distinguished Member
Feb 21, 2015
9,561
1,752
273
Saarland, Germany
I encountered a strange behaviour in my cluster with respect to VM firewalling.

I created a pve node iptables rule to redirect traffic from 443 to 8006, which works great for
  • all external clients
  • VMs hosted on the cluster without firewall
  • VMs with firewall enabled that are not running on the node I want to access
  • BUT NOT on VMs with firewall enabled that are running on the node I want to access
If I check the firewall box on the interface configuration, the connection to the redirected service is not available. If I uncheck the box, it is working as expected.

I could replicate this by just using one PVE VM:
  • install PVE 7 and update to current non-subscription repository and reboot (just in case it has been already fixed)
  • add iptables rule iptables -t nat -A PREROUTING -d <pve-host-ip> -p tcp --dport 443 -j REDIRECT --to-port 8006
  • create container of your choice (I used alpine) and check the firewall box
  • enable datacenter firewall (accept all)
  • enable container firewall (accept all)
  • curl https://<pve-host-ip>/ from the outside, works
  • curl https://<pve-host-ip>:8006/ from the container, works
  • curl https://<pve-host-ip>/ from the container, does not work
So what's going on there and how can I fix it?
 
shrdlicka said:
Let me just ask if you VM machine is behind a NAT or is it just a normal linux brdige?
Click to expand...
Yes, normal bridge, nothing fancy.

shrdlicka said:
It sounds a bit like PREROUTING chain is not used if the packet originates locally [1], but I'm not sure if this is the case with packets from the VM.
Click to expand...
The problem is that if firewalling is enabled, you will have more interfaces besides the tap<VMID> and you will have more chains/tables the package travells through. If there is not firewall, it works, so it cannot be the default PREROUTING stuff. Any PVE-addon on top of the networking changes the behaviour, but I do not know what.

Were you able to reproduce the problem?
 
I could reproduce it. Took some time to figure this out a colleague of mine found the solution. You need to replace the above redirect statement with this:

Code: 
iptables -t nat -A PREROUTING -d [host] -p tcp --dport 443 -j DNAT --to [host]:8006
 
  • Like
Reactions: LnxBil
A bit of background:
see man iptables-extension

Under "REDIRECT" it states:
Code: 
...
and packets arriving on interfaces that don't have an IP address configured are dropped.
...

Which will always be the case since we have some interfaces without IPs in the setup. In particular this will be the "tap" device.
 
  • Like
Reactions: LnxBil
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom