Timeout in Cluster

[punjprateek]

I have 6 server in cluster, when i enabled the firewall on Datacenter and Node Level, out of 6 server 1 server stopped responding to ssh, it says connection timeout.
i am also attaching the datacenter fw rules and node fw rule for reference. it would be great if someone can help me fix the problem

Spoiler: Cluster.fw

[OPTIONS]

enable: 1
ebtables: 1

[IPSET api-ips] # IP Sets of UAT and Prod apiservers

10.250.0.103 # Prod Orchestrator
10.250.0.108 # UAT Orchestrator
103.182.65.1 # UAT Orchestrator (Extn. IP)
103.182.65.2 # Prod Orchestrator (Extn. IP)

[IPSET dns]

10.250.0.2

[IPSET gateway]

10.250.0.1
10.250.50.5

[IPSET mgmt-ip] # 0.x Segment

10.250.0.0/23 # Mangement Segment

[IPSET nfs-ips] # Access Login

10.250.0.10

[IPSET vm-ips] # IP Range of Antplay VMs

10.250.50.0/23 # IP Address of Antplay VMs

[IPSET vpn-ip] # VPN segment

10.250.1.0/24

[RULES]

GROUP basic-port
GROUP moonlight
|IN ACCEPT -source +vm-ips -dest +dns -log nolog
|IN RDP(ACCEPT) -dest +vm-ips -log nolog
|OUT DROP -source +vm-ips -dest +mgmt-ip -log debug # disable play seg to mgmt seg

[group basic-port] # communication port

IN ACCEPT -source +vpn-ip -dest +vm-ips -log nolog
IN ACCEPT -p tcp -dport 22,8006 -log nolog # ssh and web interface ports

[group moonlight]

IN DROP -source +vm-ips -dest +vm-ips -log warning # Disable VM to VM access.
IN ACCEPT -p udp -dport 47998,47999,48000,48002,48010 -log nolog
IN ACCEPT -p tcp -dport 47984,47989,48010 -log nolog
IN ACCEPT -source +api-ips -dest +vm-ips -p udp -log nolog

Spoiler: node.fw

[OPTIONS]

enable: 1

[RULES]

IN DROP -source +vm-ips -dest +vm-ips -log nolog
|OUT DROP -source +vm-ips -dest +nfs-ips -log nolog
|GROUP basic-port
GROUP moonlight

Spoiler: pve version

proxmox-ve: 7.4-1 (running kernel: 5.15.108-1-pve)
pve-manager: 7.4-16 (running version: 7.4-16/0f39f621)
pve-kernel-5.15: 7.4-4
pve-kernel-5.11: 7.0-10
pve-kernel-5.15.108-1-pve: 5.15.108-2
pve-kernel-5.15.83-1-pve: 5.15.83-1
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-4-pve: 5.11.22-9
ceph-fuse: 15.2.14-pve1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx4
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.4
libproxmox-backup-qemu0: 1.3.1-1
libproxmox-rs-perl: 0.2.1
libpve-access-control: 7.4.1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.4-2
libpve-guest-common-perl: 4.2-4
libpve-http-server-perl: 4.2-3
libpve-rs-perl: 0.7.7
libpve-storage-perl: 7.4-3
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.2-2
lxcfs: 5.0.3-pve1
novnc-pve: 1.4.0-1
proxmox-backup-client: 2.4.3-1
proxmox-backup-file-restore: 2.4.3-1
proxmox-kernel-helper: 7.4-1
proxmox-mail-forward: 0.1.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-offline-mirror-helper: 0.5.2
proxmox-widget-toolkit: 3.7.3
pve-cluster: 7.3-3
pve-container: 4.4-6
pve-docs: 7.4-2
pve-edk2-firmware: 3.20230228-4~bpo11+1
pve-firewall: 4.3-5
pve-firmware: 3.6-5
pve-ha-manager: 3.6.1
pve-i18n: 2.12-1
pve-qemu-kvm: 7.2.0-8
pve-xtermjs: 4.16.0-2
qemu-server: 7.4-4
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+3
vncterm: 1.7-1
zfsutils-linux: 2.1.11-pve1

 

[Chris]

Hi,
please also share the network configuration cat /etc/network/interfaces and the output of iptables-save for the host not reachable (of course you will have to establish a connection first, before enabling the firewall, so that you can execute these commands with the firewall rules enabled via the established connection).

 

[punjprateek]

Hi,
please also share the network configuration cat /etc/network/interfaces and the output of iptables-save for the host not reachable (of course you will have to establish a connection first, before enabling the firewall, so that you can execute these commands with the firewall rules enabled via the established connection).

Hi Attached is the result, i am not able to access through GUI but through ssh i am able to reach host using cmd.

Spoiler: network config

auto lo
iface lo inet loopback

iface enp28s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.250.50.42/23
gateway 10.250.50.5
bridge-ports enp28s0f1
bridge-stp off
bridge-fd 0

iface eno1 inet manual

iface eno2 inet manual

iface enx3a5631568dd4 inet manual

iface enp28s0f0 inet manual

Spoiler: iptable-saves

# Generated by iptables-save v1.8.7 on Sun Aug 13 23:40:52 2023
*raw
REROUTING ACCEPT [204995371:639080509840]
:OUTPUT ACCEPT [171453589:863741416324]
COMMIT
# Completed on Sun Aug 13 23:40:52 2023
# Generated by iptables-save v1.8.7 on Sun Aug 13 23:40:52 2023
*filter
:INPUT ACCEPT [2:208]
:FORWARD ACCEPT [3879365:456865439]
:OUTPUT ACCEPT [42186:2552176]
:GROUP-basic-port-IN - [0:0]
:GROUP-basic-port-OUT - [0:0]
:GROUP-moonlight-IN - [0:0]
:GROUP-moonlight-OUT - [0:0]
VEFW-Drop - [0:0]
VEFW-DropBroadcast - [0:0]
VEFW-FORWARD - [0:0]
VEFW-FWBR-IN - [0:0]
VEFW-FWBR-OUT - [0:0]
VEFW-HOST-IN - [0:0]
VEFW-HOST-OUT - [0:0]
VEFW-INPUT - [0:0]
VEFW-OUTPUT - [0:0]
VEFW-Reject - [0:0]
VEFW-SET-ACCEPT-MARK - [0:0]
VEFW-logflags - [0:0]
VEFW-reject - [0:0]
VEFW-smurflog - [0:0]
VEFW-smurfs - [0:0]
VEFW-tcpflags - [0:0]
:tap100i0-IN - [0:0]
:tap100i0-OUT - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A GROUP-basic-port-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-basic-port-IN -m set --match-set PVEFW-0-vpn-ip-v4 src -m set --match-set PVEFW-0-vm-ips-v4 dst -g PVEFW-SET-ACCEPT-MARK
-A GROUP-basic-port-IN -p tcp -m multiport --dports 22,8006 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-basic-port-IN -m comment --comment "PVESIG:wSZb4KgmJ0oA8RZy7zDqEWzkagg"
-A GROUP-basic-port-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-basic-port-OUT -m comment --comment "PVESIG:xxVsq70UXLT9ZzIBtsVFZssSqPw"
-A GROUP-moonlight-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-moonlight-IN -p udp -m multiport --dports 47998,47999,48000,48002,48010 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-moonlight-IN -p tcp -m multiport --dports 47984,47989,48010 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-moonlight-IN -p udp -m set --match-set PVEFW-0-api-ips-v4 src -m set --match-set PVEFW-0-vm-ips-v4 dst -g PVEFW-SET-ACCEPT-MARK
-A GROUP-moonlight-IN -m comment --comment "PVESIG:JLD/rtIXVmgHt8IRriLBMAUmRUI"
-A GROUP-moonlight-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-moonlight-OUT -m comment --comment "PVESIG:SfZYLZS+rTi+GGMoTRCDJXMWUdw"
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap100i0 --physdev-is-bridged -j tap100i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:/naDZxJ06t8Dx9DQtmus9NvdHEA"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap100i0 --physdev-is-bridged -j tap100i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:wA3mj3VIKyC/rlY95PCFN7paR5s"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-vm-ips-v4 src -m set --match-set PVEFW-0-vm-ips-v4 dst -j DROP
-A PVEFW-HOST-IN -j GROUP-moonlight-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -j GROUP-basic-port-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -j GROUP-moonlight-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -s 10.250.50.43/32 -d 10.250.50.42/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 10.250.50.44/32 -d 10.250.50.42/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 10.250.50.45/32 -d 10.250.50.42/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 10.250.50.47/32 -d 10.250.50.42/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -s 10.250.50.48/32 -d 10.250.50.42/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:+yK7ANSk8duUHGM9ysRa6QhZYKc"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j GROUP-moonlight-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -j GROUP-basic-port-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -j GROUP-moonlight-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -d 10.250.50.0/23 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 10.250.50.0/23 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 10.250.50.0/23 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 10.250.50.0/23 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -s 10.250.50.42/32 -d 10.250.50.43/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 10.250.50.42/32 -d 10.250.50.44/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 10.250.50.42/32 -d 10.250.50.45/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 10.250.50.42/32 -d 10.250.50.47/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -s 10.250.50.42/32 -d 10.250.50.48/32 -p udp -m udp --dport 5404:5405 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:8Eqd+qocOlIZ3SY6fjdLu41APMg"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap100i0-IN -j PVEFW-Drop
-A tap100i0-IN -j DROP
-A tap100i0-IN -m comment --comment "PVESIG:dyBT7vHzkJ/DuuTmaQj+ta/b9fk"
-A tap100i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m mac ! --mac-source d2:77:bc:5f:a3:d5 -j DROP
-A tap100i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap100i0-OUT -m comment --comment "PVESIG:G56q5Mk2voOV53Vae5oMUhx/U3g"
COMMIT
# Completed on Sun Aug 13 23:40:52 2023

 

[Chris]

server 1 server stopped responding to ssh, it says connection timeout.

i am not able to access through GUI but through ssh i am able to reach host using cmd.

Please clarify what the exact issue is. Are you able to ssh to the node with firewall enabled or not? Is the connection issue limited to the WebUI? If so, from where are you trying to connect to? Provide also the journal from around the time of the connection issue journalctl --since <DATETIME> --until <DATETIME> > journal.txt as attachment.

 

[punjprateek]

Please clarify what the exact issue is. Are you able to ssh to the node with firewall enabled or not? Is the connection issue limited to the WebUI? If so, from where are you trying to connect to? Provide also the journal from around the time of the connection issue journalctl --since <DATETIME> --until <DATETIME> > journal.txt as attachment.

The connection issue is limited to webGUI only, from CMD i am able to SSH my server's.

 

[Chris]

-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN

-A GROUP-basic-port-IN -p tcp -m multiport --dports 22,8006 -g PVEFW-SET-ACCEPT-MARK

As far as I can see, above rules should allow the traffic to the WebUI. Can you verify that the WebUI works with the firewall disabled for that node?

 

[punjprateek]

yes it works if i disable firewall on datacenter level.

As far as I can see, above rules should allow the traffic to the WebUI. Can you verify that the WebUI works with the firewall disabled for that node?

 

[Chris]

-A PVEFW-HOST-IN -m set --match-set PVEFW-0-vm-ips-v4 src -m set --match-set PVEFW-0-vm-ips-v4 dst -j DROP

Is your source maybe within the IP range of the vm ips? As this is evaluated before your basic port rules. If that is not the case, I suggest to selectively disable rules until you get connectivity again (you will always have to wait a few seconds until the changed rules get applied by the PVE firewall) and start adapting the rules from there.