udp port blocking is not working

thommie

thommie

Member
Proxmox Subscriber
Aug 19, 2019
57
7
13
Hi,
I have a problem with abuse messages from hetzner on behalf of the german BSI for my root server with proxmox PCE 6.2.4. On one of the kvm VMs there is an univention installation with open ports on udp 111 which are known to be misused if they are public. I created a firewall rule for this VM but it has no effect:

[group idp] # ucs

IN SSH(ACCEPT) -dest +idp -log nolog
IN HTTPS(ACCEPT) -dest +idp -log nolog
IN DROP -dest +idp -p tcp -dport 111 -log nolog
IN DROP -dest +idp -p udp -dport 111 -log nolog

I tried this several times now without success. Any idea how to debug this?

Thanks for some ideas,
Thommie
 
Are all firewalls enabled? (Datacenter, Node, VM, NIC)
 
Datacenter: "Firewall: Yes"
Node: Firewall: yes
VM: Firewall yes
net0, firewall=1

VM config:


agent: 1
bootdisk: scsi0
cores: 2
ide2: none,media=cdrom
memory: 2048
name: idp3
net0: virtio=00:50:56:00:2B:66,bridge=vmbr0,firewall=1
net1: e1000=FE:DD:91:12:4D:47,bridge=vmbr1,firewall=1
numa: 0
onboot: 1
ostype: l26
scsi0: local:102/vm-102-disk-0.qcow2,size=96G
scsihw: virtio-scsi-pci
smbios1: uuid=8c42a08b-a756-42d4-867e-88daf37edbaf
sockets: 2
startup: order=1
virtio0: data:102/vm-102-disk-0.qcow2,size=100G
vmgenid: 348ad4d9-3407-4db3-a015-3e99dc69a368
 
What's the output of iptables-save | grep tap102 ?
 
Hm, ups, nothing:

root@tokoeka /etc/pve/qemu-server # iptables-save | grep tap102
root@tokoeka /etc/pve/qemu-server #

and un-grepped:

root@tokoeka /etc/pve/qemu-server # iptables-save
# Generated by iptables-save v1.8.2 on Mon Jun 22 14:40:24 2020
*filter
:INPUT ACCEPT [393243639:32160479247]
:FORWARD ACCEPT [5412:2705500]
:OUTPUT ACCEPT [29242422:1122210775374]
COMMIT
# Completed on Mon Jun 22 14:40:24 2020

seems like there are no active rules at all, although

root@tokoeka /etc/pve/qemu-server # lsmod | grep ip
iptable_filter 16384 0
ip_tables 28672 1 iptable_filter
x_tables 45056 2 iptable_filter,ip_tables
multipath 20480 0

and /etc/pve/firewal/cluster.fw has

[OPTIONS]

policy_in: DROP
enable: 1

I don't understand .... ??
 
That is strange. There should be more output when running iptables-save then. What happens when you disable and enable it again in the GUI?
 
I disabled all firewall settings on vm level, node level, datacenter level through web UI and re-enabled them. iptables-save shows the same result.

root@tokoeka ~ # iptables-save
# Generated by iptables-save v1.8.2 on Tue Jun 23 11:40:43 2020
*filter
:INPUT ACCEPT [393993755:32834110527]
:FORWARD ACCEPT [5412:2705500]
:OUTPUT ACCEPT [29808599:1123574120886]
COMMIT
# Completed on Tue Jun 23 11:40:43 2020

On the shell I have

root@tokoeka ~ # pve-firewall status
Status: enabled/stopped

I enabled with "pve-firewall start" and immediately I am locked out from ssh, ggrrrrrrr. OK, I have to re-open my connection ...

But it seems like all my start/stop operations on the web UI had no effect yet ...
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom