WEBgui access, only allow specific IP

[Llewellyn Pienaar]

Good day,

I need to only allow specific IP's to connect to proxmox webgui and block out everyone else.

Can someone share an example config or any steps?

I do not whish to use proxmox firewall for anything else but to block WEBGUI traffic and allow from specific IP. I have a mikrotik CHR that handles firewalling for my VM's

Regards

 

[wolfgang]

Hi,

there is no other way than using the firewall.

 

[Llewellyn Pienaar]

Hi,

Thank you,

If I enable firewall at datacentre level but disable on node and vm will that be fine?

This is a live environment and just want to limit webgui access and use firewall for only that.

 

[Llewellyn Pienaar]

I enabled firewall and when I want to edit the firewall I get

unable to open file '/etc/pve/firewall/cluster.fw.tmp.1417' - Permission denied (500)

 

[wolfgang]

I guess you have no quorum.

 

[Llewellyn Pienaar]

Since firewall was enabled quorum stopped working... Is this working as intended?

See bellow:

With Firewall stopped pve-firewall stop

Node 2

root@Prox2:~# pve-firewall stop
root@Prox2:~# omping -c 10000 -i 0.001 -F -q 10.0.10.3 10.0.10.2
10.0.10.2 : waiting for response msg
10.0.10.2 : waiting for response msg
10.0.10.2 : waiting for response msg
10.0.10.2 : waiting for response msg
10.0.10.2 : waiting for response msg
10.0.10.2 : joined (S,G) = (*, 232.43.211.234), pinging
10.0.10.2 : given amount of query messages was sent

10.0.10.2 :   unicast, xmt/rcv/%loss = 10000/9993/0%, min/avg/max/std-dev = 0.143/0.403/9.965/0.431
10.0.10.2 : multicast, xmt/rcv/%loss = 10000/9993/0%, min/avg/max/std-dev = 0.154/0.425/9.973/0.431

Node 1

root@prox1:~# pve-firewall status
Status: enabled/stopped
root@prox1:~# omping -c 10000 -i 0.001 -F -q 10.0.10.3 10.0.10.2
10.0.10.3 : waiting for response msg
10.0.10.3 : joined (S,G) = (*, 232.43.211.234), pinging
10.0.10.3 : waiting for response msg
10.0.10.3 : server told us to stop

10.0.10.3 :   unicast, xmt/rcv/%loss = 9765/9759/0%, min/avg/max/std-dev = 0.137/0.332/9.841/0.387
10.0.10.3 : multicast, xmt/rcv/%loss = 9765/9759/0%, min/avg/max/std-dev = 0.153/0.345/9.868/0.392

Will Firewall running pve-firewall start

Node 1

root@prox1:~# pve-firewall status
Status: enabled/running
root@prox1:~# omping -c 10000 -i 0.001 -F -q 10.0.10.3 10.0.10.2
10.0.10.3 : waiting for response msg
10.0.10.3 : waiting for response msg
10.0.10.3 : waiting for response msg
10.0.10.3 : waiting for response msg
10.0.10.3 : joined (S,G) = (*, 232.43.211.234), pinging
10.0.10.3 : waiting for response msg
10.0.10.3 : server told us to stop

10.0.10.3 :   unicast, xmt/rcv/%loss = 9009/9008/0%, min/avg/max/std-dev = 0.128/0.333/8.196/0.334
10.0.10.3 : multicast, xmt/rcv/%loss = 9009/0/100%, min/avg/max/std-dev = 0.000/0.000/0.000/0.000

Node 2

root@Prox2:~# omping -c 10000 -i 0.001 -F -q 10.0.10.3 10.0.10.2
10.0.10.2 : waiting for response msg
10.0.10.2 : joined (S,G) = (*, 232.43.211.234), pinging
10.0.10.2 : given amount of query messages was sent

10.0.10.2 :   unicast, xmt/rcv/%loss = 10000/9992/0%, min/avg/max/std-dev = 0.134/0.393/8.322/0.360
10.0.10.2 : multicast, xmt/rcv/%loss = 10000/0/100%, min/avg/max/std-dev = 0.000/0.000/0.000/0.000

Please advise

 

[wolfgang]

Since firewall was enabled quorum stopped working... Is this working as intended?

It depends on your setup.
The default firewall [1] allow all PVE ports [2] pass in the local net.

If your cluster network is not on the local net you have to allow it.

1.) https://pve.proxmox.com/wiki/Firewall
2.) https://pve.proxmox.com/wiki/Ports

 

[Llewellyn Pienaar]

Hi Wolfgang,

Please can you take some time to assist...

I have tried various configurations and firewall does not seem to work for me. I am new to proxmox firewall and not sure what is going wrong.

On the webgui where should I create the rule to block access to port 8006 from all except one ip. Is it under DC firewall? Node firewall? I have done that on both and it block me out when I try to connect with the IP that is allowed.

I set rule as follows:

Under data centre, input policy is drop

Direction = 1
Action = Accept
Interface = eth1
Enable = yes
Protocol = tcp
Source = 123.123.43.121
Source = Port 8006
Destination = 5.112.32.12
Destination port 8006

I have tried the same config as above with only source port, only destination port.

I removed the one from data centre as it was not working and did the exact same under the node.

Still not working.

I then under data centre input policy is accept but htis just seems to bypass my firewall config. I then added a rule as follows to block everything I am not specifying

direction = in
action = drop

Al this while corosync stops working when input is drop in data centre regardless if I create a udp rule to allow my seperated network ip on ports 5404 and 5405.

The links you shared states

If the input or output policy for the firewall is set to DROP or REJECT, the following traffic is still allowed for all Proxmox VE hosts in the cluster:

This is NOT the case. 5404 and 5405 for corosync stops to work.

Please can you share examples.