Using raw iptables rules

[Matthieu Le Corre]

Hi,

Is there any way to use raw iptables rules for the VM ?

We are doing mass migration to PVE and for some of our VM we have some "special" rules that are not supported by the pve firewall.
For most of the VM we translate iptable to pve-firewall and it's working as intended but we still missing some few cases.

By the way is there any script to translate rule from iptables to pve, I've written a quick n' dirty script to do the job, but is is far from being perfect !
The main issue is that pve-firewall is not accepting name into the rule, only IP (and not a mix of ipv4 and ipv6)

ex:
iptables -A $I -p tcp --syn --dport ssh -m recent --name sshattack --set
iptables -A $I -p tcp --syn --dport ssh -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j LOG --log-prefix '[SSH 22 REJECT] '
iptables -A $I -p tcp --syn --dport ssh -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j DROP
iptables -A $I -p tcp --dport ssh -j ACCEPT

 

[t.lamprecht]

Hi,

pve-firewall normally tries to keep existing "custom" rules, so yes this could work by applying the rules manually.

 

[Matthieu Le Corre]

Hello,

This could be a solution, but this will break migration.
Pushing rules outside the vm definition is also a issue with the backups, as those rules won't be saved

 

[t.lamprecht]

Yeah sure, if you want your external rules you need to handle cases like migration or backing them up yourself.
Hook scripts can help with that, to a certain degree.

We currently do not plan to allow defining custom firewall rules directly in the VM or VM-firewall configurations.

 

[Matthieu Le Corre]

Ok, I'll try to deal with hooks and see what's is doable.

By the way, Is there any plan to handle custom meta in the VM config ?
This could be a place to save those rules and to handle backup

something like

meta.rule: iptables -A $I -p tcp --syn --dport ssh -m recent --name sshattack --set
meta.mycustomprops: foo
meta.myothercustompro: bar
etc....

This could be very handy, and not only for iptables rules , I think about geolocatlisation, vm manager, criticity ....

 

[t.lamprecht]

By the way, Is there any plan to handle custom meta in the VM config ?

You could (mis)use the "description" field of the config, it's meant for notes and such but you could save whatever in there.
It'd get backed up and also available on migration, so you'd only need to read it out and insert it again with iptables.

Could be good to serialize it as base64 or a structured format to ensure it does not get scrambled up that easily, just an idea.

Naturally hacky, but we're talking workarounds here

 

[Mecanik]

Hi,

Is there any way to use raw iptables rules for the VM ?

We are doing mass migration to PVE and for some of our VM we have some "special" rules that are not supported by the pve firewall.
For most of the VM we translate iptable to pve-firewall and it's working as intended but we still missing some few cases.

By the way is there any script to translate rule from iptables to pve, I've written a quick n' dirty script to do the job, but is is far from being perfect !
The main issue is that pve-firewall is not accepting name into the rule, only IP (and not a mix of ipv4 and ipv6)

ex:
iptables -A $I -p tcp --syn --dport ssh -m recent --name sshattack --set
iptables -A $I -p tcp --syn --dport ssh -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j LOG --log-prefix '[SSH 22 REJECT] '
iptables -A $I -p tcp --syn --dport ssh -m recent --name sshattack --rcheck --seconds 60 --hitcount 4 -j DROP
iptables -A $I -p tcp --dport ssh -j ACCEPT

Did you manage to add rules per guest machine? Can you please share some details? Many thanks.