VM firewall rules have no effect

Telencephalon

Active Member
Nov 29, 2018
8
1
43
44
Hi,
I have enabled the proxmox firewall on all levels (datacenter, proxmox host, VM, VM network adapter) and configured a rule on the VM level that drops all SSH packets (I know that traffic from the proxmox hosts should remain open, but I'll worry about that later). However, this rule has no effect, and I don't get any log entries about it (although the log levels should be set appropriately). Looking at iptables-save, I see chains that seem to define meaningful rules for packets whose destination is the bridge interface to the VM. However, SSH connections are still not blocked.

I'm attaching the (slightly redacted) output of iptables-save (the VM I'm trying to block access to has VMID 105 and IP 10.1.3.231), the VM config file, and the cluster.fw, and <VMID>.fw files. (host.fw is empty).

I have an alias for a campus LAN defined, with IP range 10.1.0.0/16. I also defined a rule on the VM level that allows and logs SSH packets from the campus LAN, and I'm also not seeing those log entries. So it seems that SSH packets never end up in the appropriate chain for filtering packets to the VM and get accepted somewhere before, but I just don't know where and why.

I'd appreciate any hints on what I'm missing here and apologize in advance for any stupidities I may have committed.

Thanks,
Telencephalon

pveversion: pve-manager/6.0-7/28984024 (running kernel: 5.0.21-1-pve)
 

Attachments

  • 105.conf.txt
    765 bytes · Views: 3
  • cluster.fw.txt
    632 bytes · Views: 1
  • 105.fw.txt
    110 bytes · Views: 3
  • iptables-save.txt
    11.4 KB · Views: 3
Hi,

can you please send also the output of
Code:
pveversion -v
to clarify what version is used.
 
Hi wolfgang,
Please see below:

Code:
proxmox-ve: 6.0-2 (running kernel: 5.0.21-1-pve)
pve-manager: 6.0-7 (running version: 6.0-7/28984024)
pve-kernel-helper: 6.0-8
pve-kernel-5.0: 6.0-7
pve-kernel-5.0.21-1-pve: 5.0.21-2
pve-kernel-5.0.18-1-pve: 5.0.18-3
pve-kernel-5.0.15-1-pve: 5.0.15-1
ceph: 14.2.4-pve1
ceph-fuse: 14.2.4-pve1
corosync: 3.0.2-pve2
criu: 3.11-3
gfs2-utils: 3.2.0-1
glusterfs-client: 5.5-3
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.12-pve1
libpve-access-control: 6.0-2
libpve-apiclient-perl: 3.0-2
libpve-common-perl: 6.0-4
libpve-guest-common-perl: 3.0-1
libpve-http-server-perl: 3.0-2
libpve-storage-perl: 6.0-8
libqb0: 1.0.5-1
lvm2: 2.03.02-pve3
lxc-pve: 3.1.0-65
lxcfs: 3.0.3-pve60
novnc-pve: 1.0.0-60
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.0-7
pve-cluster: 6.0-7
pve-container: 3.0-7
pve-docs: 6.0-4
pve-edk2-firmware: 2.20190614-1
pve-firewall: 4.0-7
pve-firmware: 3.0-2
pve-ha-manager: 3.0-2
pve-i18n: 2.0-3
pve-qemu-kvm: 4.0.0-5
pve-xtermjs: 3.13.2-1
qemu-server: 6.0-7
smartmontools: 7.0-pve2
spiceterm: 3.1-1
vncterm: 1.6-1
zfsutils-linux: 0.8.1-pve2
 
Please update to the current version.
There are some fixes in the network stack of the kernel.
Then reboot and try again.
Please report back what are the result.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!