Unable to Connect to PVE Shell in GUI

L

l3it

New Member
Feb 4, 2024
1
0
1
Hi Everybody.

I was wondering if somebody may be able to help me out as to what I am doing wrong.

Long story short, I have a setup in which all traffic if routing to my pfsense/opnsense firewall and I use iptables and VPN to then connect to get into the proxmox gui. I have mainly followed this guide which although a bit outdated got me most of the way there (https://blog.zwindler.fr/2020/03/02/deploiement-de-proxmox-ve-6-pfsense-sur-un-serveur-dedie/)

Before I apply the iptables, the IP takes me to proxmox gui, and I have access to the shell however after loading iptables, everything works as intended but when I got to shell within proxmox gui it will not connect and give me an error:

TASK ERROR: command '/usr/bin/termproxy 5900 --path /nodes/PVE --perm Sys.Console -- /bin/login -f root' failed: exit code 1

Access to console of other VM's works without any problems, its just shell for PVE that doesn't work. My guess is it is something within the iptables but I cannot put my finger on what is the issue as I have used the same config when self hosting and it worked without issue. below is the iptable config I use. Any help would be much appreciated and hopefully somebody can shed some light as to where I am going wrong.

#!/bin/sh

# ---------
# VARIABLES
# ---------

## Proxmox bridge holding Public IP
PrxPubVBR="vmbr0"
## Proxmox bridge on VmWanNET (OPNSense WAN side)
PrxVmWanVBR="vmbr1"
## Proxmox bridge on PrivNET (OPNense LAN side)
PrxVmPrivVBR="vmbr2"

## Network/Mask of VmWanNET
VmWanNET="10.0.0.0/30"
## Network/Mmask of PrivNET
PrivNET="10.10.10.0/24"
## Network/Mmask of VpnNET
VpnNET="10.1.1.0/24"

## Public IP => Your own public IP address
PublicIP="XX.XX.XX.XX"
## Proxmox IP on the same network than OPNSense WAN (VmWanNET)
ProxVmWanIP="10.0.0.1"
## Proxmox IP on the same network than VMs
ProxVmPrivIP="10.10.10.1"
## OPNSense IP used by the firewall (inside VM)
PfsVmWanIP="10.0.0.2"

# ---------------------
# CLEAN ALL & DROP IPV6
# ---------------------

### Delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
### This policy does not handle IPv6 traffic except to drop it.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# --------------
# DEFAULT POLICY
# --------------

### Block ALL !
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

# ------
# CHAINS
# ------

### Creating chains
iptables -N TCP
iptables -N UDP

# UDP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# TCP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

# ------------
# GLOBAL RULES
# ------------

# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Don't break the current/active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow Ping - Comment this to return timeout to ping request
#iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# --------------------
# RULES FOR PrxPubVBR
# --------------------

### INPUT RULES
# ---------------

# Allow Proxmox WebUI
#iptables -A TCP -i \$PrxPubVBR -d \$PublicIP -p tcp --dport 8006 -j ACCEPT

### OUTPUT RULES
# ---------------

iptables -I OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT

### Proxmox Host as CLIENT
# Allow HTTP/HTTPS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 443 -j ACCEPT
# Allow DNS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p udp --dport 53 -j ACCEPT

### Proxmox Host as SERVER
# Allow PROXMOX WebUI
#iptables -A OUTPUT -o \$PrxPubVBR -s \$PublicIP -p tcp --sport 8006 -j ACCEPT

### FORWARD RULES
# ----------------

### Redirect (NAT) traffic from internet
# All tcp to OPNSense WAN except 8006
#iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports 8006 -j DNAT --to $PfsVmWanIP
iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp -j DNAT --to $PfsVmWanIP
# All udp to OPNSense WAN
iptables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $PfsVmWanIP

# Allow request forwarding to OPNSense WAN interface
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p tcp -j ACCEPT
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p udp -j ACCEPT

# Allow request forwarding from LAN
iptables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT

### MASQUERADE MANDATORY
# Allow WAN network (OPNSense) to use vmbr0 public adress to go out
iptables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE

# Allow WAN network (OPNSense) to use vmbr1
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 8006 -j ACCEPT
 
l3it said:
Hi Everybody.

I was wondering if somebody may be able to help me out as to what I am doing wrong.

Long story short, I have a setup in which all traffic if routing to my pfsense/opnsense firewall and I use iptables and VPN to then connect to get into the proxmox gui. I have mainly followed this guide which although a bit outdated got me most of the way there (https://blog.zwindler.fr/2020/03/02/deploiement-de-proxmox-ve-6-pfsense-sur-un-serveur-dedie/)
Click to expand...

So just to sum it up for anyone having difficulty reading through the guide like me - this is PVE inside of which you have the OPNSense and you want internet traffic to hit its iptables before it gets you back onto the host, correct?

Would not be my first choice to run it, but it's not your question, so let's have a look...

l3it said:
Before I apply the iptables, the IP takes me to proxmox gui, and I have access to the shell however after loading iptables, everything works as intended but when I got to shell within proxmox gui it will not connect and give me an error:

TASK ERROR: command '/usr/bin/termproxy 5900 --path /nodes/PVE --perm Sys.Console -- /bin/login -f root' failed: exit code 1
Click to expand...

The 5900 is the port number too. See: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_ports_used_by_proxmox_ve

13.12. Ports used by Proxmox VE​

  • Web interface: 8006 (TCP, HTTP/1.1 over TLS)
  • VNC Web console: 5900-5999 (TCP, WebSocket)
  • SPICE proxy: 3128 (TCP)
  • sshd (used for cluster actions): 22 (TCP)
  • rpcbind: 111 (UDP)
  • sendmail: 25 (TCP, outgoing)
  • corosync cluster traffic: 5405-5412 UDP
  • live migration (VM memory and local-disk data): 60000-60050 (TCP)
Click to expand...

So your hunch is good ...

l3it said:
Access to console of other VM's works without any problems, its just shell for PVE that doesn't work. My guess is it is something within the iptables but I cannot put my finger on what is the issue as I have used the same config when self hosting and it worked without issue. below is the iptable config I use. Any help would be much appreciated and hopefully somebody can shed some light as to where I am going wrong.
Click to expand...

I have trouble finding where you got those iptables rules from, but since e.g. GUI (8006) works for you, I assume the forward rules are all fine, I just glanced at your INPUT and there's nothing but 8006 there and that is commented out, but ...

l3it said:
Code: 
#!/bin/sh

    # ---------
    # VARIABLES
    # ---------

## Proxmox bridge holding Public IP
PrxPubVBR="vmbr0"
## Proxmox bridge on VmWanNET (OPNSense WAN side)
PrxVmWanVBR="vmbr1"
## Proxmox bridge on PrivNET (OPNense LAN side)
PrxVmPrivVBR="vmbr2"

## Network/Mask of VmWanNET
VmWanNET="10.0.0.0/30"
## Network/Mmask of PrivNET
PrivNET="10.10.10.0/24"
## Network/Mmask of VpnNET
VpnNET="10.1.1.0/24"

## Public IP => Your own public IP address
PublicIP="XX.XX.XX.XX"
## Proxmox IP on the same network than OPNSense WAN (VmWanNET)
ProxVmWanIP="10.0.0.1"
## Proxmox IP on the same network than VMs
ProxVmPrivIP="10.10.10.1"
## OPNSense IP used by the firewall (inside VM)
PfsVmWanIP="10.0.0.2"

    # ---------------------
    # CLEAN ALL & DROP IPV6
    # ---------------------

### Delete all existing rules.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
### This policy does not handle IPv6 traffic except to drop it.
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
   
    # --------------
    # DEFAULT POLICY
    # --------------

### Block ALL !
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

    # ------
    # CHAINS
    # ------

### Creating chains
iptables -N TCP
iptables -N UDP

# UDP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
# TCP = ACCEPT / SEND TO THIS CHAIN
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

    # ------------
    # GLOBAL RULES
    # ------------

# Allow localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Don't break the current/active connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow Ping - Comment this to return timeout to ping request
#iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

    # --------------------
    # RULES FOR PrxPubVBR
    # --------------------

### INPUT RULES
# ---------------

# Allow Proxmox WebUI
#iptables -A TCP -i \$PrxPubVBR -d \$PublicIP -p tcp --dport 8006 -j ACCEPT

### OUTPUT RULES
# ---------------

iptables -I OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow ping out
iptables -A OUTPUT -p icmp -j ACCEPT

### Proxmox Host as CLIENT
# Allow HTTP/HTTPS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p tcp --dport 443 -j ACCEPT
# Allow DNS
iptables -A OUTPUT -o $PrxPubVBR -s $PublicIP -p udp --dport 53 -j ACCEPT

### Proxmox Host as SERVER
# Allow PROXMOX WebUI
#iptables -A OUTPUT -o \$PrxPubVBR -s \$PublicIP -p tcp --sport 8006 -j ACCEPT

### FORWARD RULES
# ----------------

### Redirect (NAT) traffic from internet
# All tcp to OPNSense WAN except 8006
#iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp --match multiport ! --dports 8006 -j DNAT --to $PfsVmWanIP
iptables -A PREROUTING -t nat -i $PrxPubVBR -p tcp -j DNAT --to $PfsVmWanIP
# All udp to OPNSense WAN
iptables -A PREROUTING -t nat -i $PrxPubVBR -p udp -j DNAT --to $PfsVmWanIP

# Allow request forwarding to OPNSense WAN interface
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p tcp -j ACCEPT
iptables -A FORWARD -i $PrxPubVBR -d $PfsVmWanIP -o $PrxVmWanVBR -p udp -j ACCEPT

# Allow request forwarding from LAN
iptables -A FORWARD -i $PrxVmWanVBR -s $VmWanNET -j ACCEPT

### MASQUERADE MANDATORY
# Allow WAN network (OPNSense) to use vmbr0 public adress to go out
iptables -t nat -A POSTROUTING -s $VmWanNET -o $PrxPubVBR -j MASQUERADE

# Allow WAN network (OPNSense) to use vmbr1
iptables -A TCP -i $PrxVmWanVBR -d $ProxVmWanIP -p tcp --dport 8006 -j ACCEPT
Click to expand...

... you do have it at the very end in the "TCP" chain. The separate TCP/UDP chains do not make much sense to me. I would prefer to see iptables -L and perhaps even iptables -L -t nat and iptables -L -t mangle in this case.

Was this some script made to be used in multiple scenarios and you were supposed to comment/uncomment appropriately?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom