Weird SSH authentication problem

[Malsyrix]

I'm going to note the issue first before going into details about the problem. I'm running one VM with Windows Server 2012R2. There are 2 game servers running on that VM. Only one of my game servers is visible and can be connected too. UNLESS the person SSH's into the server. Then they can see both servers and connect to them. Once the container restarts then they lose the ability to see everything again.


I'm using proxmox ve4. I have the firewall turned off at the host/container and the vm level.


Iptables is configured to allow ALL traffic both udp and tcp. There is no drop chain at all anywhere in iptables. I'm using prerouting for ALL of the ports that i need open and am masquerading my private lan traffic to vmbr0.


Infact, this is all that's under my iptables filter rules
-I INPUT -j ACCEPT


I am running 2 game servers; killing floor 2 and Ark: Survival Evolved.


Here are my Iptable rules for Killing floor 2. Please note that 27015 is the Query port for Steam. That's what allows it to show up in the server list. 8080 is for the webgui which is accessible. 7777 and 7778 are the actual games peer ports. This server runs beautifully and no one has issues with any services (about 6 people can access everything AND see the game on the server list)


-A PREROUTING -i vmbr0 -p udp -m udp --dport 7777 -j DNAT --to-destination 192.168.0.2:7777
-A PREROUTING -i vmbr0 -p udp -m udp --dport 7778 -j DNAT --to-destination 192.168.0.2:7778
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:8080
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.0.2:27015
-A PREROUTING -i vmbr0 -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.0.2:27015


The second game; Ark. I am experiencing an issue with. Below are the iptables rules for Ark. 7782 and 20560 are the games peer port. 27016 is the Query port to show on the server list. No one can connect and this server will show as "not responding" until the person SSH's into the server.


-A PREROUTING -i vmbr0 -p udp -m udp --dport 20560 -j DNAT --to-destination 192.168.0.2:20560
-A PREROUTING -i vmbr0 -p udp -m udp --dport 7782 -j DNAT --to-destination 192.168.0.2:7782
-A PREROUTING -i vmbr0 -p udp -m udp --dport 27016 -j DNAT --to-destination 192.168.0.2:27016


I have no idea for the life of me why this is happening. Why does somebody need to SSH into my server to be able to see/connect to everything on the vm? I'm not running an SSH authentication server and i have not configured two factor authentication on proxmox. As much as i can tell i have literally every firewall/defense disabled, accepting all TCP and udp traffic with only prerouting rules so traffic can get back to my server. I have been trying to find a solution for 12 hours with no luck. Please please tell me this is some kind of setting/feature of Proxmox that i'm missing. Or please guide me in the right direction.

Below is my iptables file for troubleshooting purposes as well as my /etc/networking/interfaces if it even matters

# Generated by iptables-save v1.4.21 on Tue Dec 8 01:19:59 2015
*filter
:INPUT ACCEPT [3321:1026704]
:FORWARD ACCEPT [99:3635]
:OUTPUT ACCEPT [1074:290485]
-I INPUT -j ACCEPT
COMMIT
# Completed on Tue Dec 8 01:19:59 2015
# Generated by iptables-save v1.4.21 on Tue Dec 8 01:19:59 2015
*nat
REROUTING ACCEPT [421:18096]
:INPUT ACCEPT [90:3620]
:OUTPUT ACCEPT [413:62582]
OSTROUTING ACCEPT [503:65683]
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.0.2:7777
-A PREROUTING -i vmbr0 -p udp -m udp --dport 7777 -j DNAT --to-destination 192.168.0.2:7777
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2:3389
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.0.2:27015
-A PREROUTING -i vmbr0 -p udp -m udp --dport 27015 -j DNAT --to-destination 192.168.0.2:27015
-A PREROUTING -i vmbr0 -p udp -m udp --dport 25565 -j DNAT --to-destination 192.168.0.2:25565
-A PREROUTING -i vmbr0 -p udp -m udp --dport 20561 -j DNAT --to-destination 192.168.0.2:20561
-A PREROUTING -i vmbr0 -p udp -m udp --dport 7778 -j DNAT --to-destination 192.168.0.2:7778
-A PREROUTING -i vmbr0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:8080
-A PREROUTING -i vmbr0 -p udp -m udp --dport 27016 -j DNAT --to-destination 192.168.0.2:27016
-A PREROUTING -i vmbr0 -p udp -m udp --dport 20560 -j DNAT --to-destination 192.168.0.2:20560
-A PREROUTING -i vmbr0 -p udp -m udp --dport 27020 -j DNAT --to-destination 192.168.0.2:27020
-A PREROUTING -i vmbr0 -p udp -m udp --dport 7782 -j DNAT --to-destination 192.168.0.2:7782
-A POSTROUTING -s 192.168.0.0/24 -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Tue Dec 8 01:19:59 2015



# The loopback network interface
auto lo
iface lo inet loopback


# for Routing
auto vmbr1
iface vmbr1 inet manual
post-up /etc/pve/kvm-networking.sh
bridge_ports dummy0
bridge_stp off
bridge_fd 0




# vmbr0: Bridging. Make sure to use only MAC adresses that were assigned to you.
auto vmbr0
iface vmbr0 inet static
address 158.69.xx.xx
netmask 255.255.255.0
network 158.69.xx.xx
broadcast 158.69.xx.xx
gateway 158.69.xx.xx
bridge_ports eth0
bridge_stp off
bridge_fd 0


auto vmbr2
iface vmbr2 inet static
address 192.168.0.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp

post-up iptables -I INPUT -j ACCEPT
post-down iptables -I INPUT -j ACCEPT


post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 7777 -j DNAT --to 192.168.0.2:7777
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 7777 -j DNAT --to 192.168.0.2:7777
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 7777 -j DNAT --to 192.168.0.2:7777
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 7777 -j DNAT --to 192.168.0.2:7777
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 3389 -j DNAT --to 192.168.0.2:3389
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 3389 -j DNAT --to 192.168.0.2:3389
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 27015 -j DNAT --to 192.168.0.2:27015
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 27015 -j DNAT --to 192.168.0.2:27015
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 27015 -j DNAT --to 192.168.0.2:27015
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 27015 -j DNAT --to 192.168.0.2:27015
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 25565 -j DNAT --to 192.168.0.2:25565
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 25565 -j DNAT --to 192.168.0.2:25565
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 20561 -j DNAT --to 192.168.0.2:20561
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 20561 -j DNAT --to 192.168.0.2:20561
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 7778 -j DNAT --to 192.168.0.2:7778
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 7778 -j DNAT --to 192.168.0.2:7778
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 192.168.0.2:8080
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 8080 -j DNAT --to 192.168.0.2:8080
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 27016 -j DNAT --to 192.168.0.2:27016
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 27016 -j DNAT --to 192.168.0.2:27016
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 20560 -j DNAT --to 192.168.0.2:20560
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 20560 -j DNAT --to 192.168.0.2:20560
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 27020 -j DNAT --to 192.168.0.2:27020
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 27020 -j DNAT --to 192.168.0.2:27020
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 7782 -j DNAT --to 192.168.0.2:7782
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 7782 -j DNAT --to 192.168.0.2:7782

 

[Malsyrix]

So i blew away the entire server. I switch to Proxmox v 3.4 and windows server 2008r2. This time around I decided not to go with a private lan. I setup the windows VM with a public ip. All proxmox firewalls/iptables/ and windows firewall turned off. Ports 3389 and 8080 were ALREADY open when i did this so i was pretty certain that ports were open for sure. People could connect to the web server afterall.

However, the exact same issue persisted. Although this time around once somebody either used SSH into the proxmox kernal or RDP to connect to the windows VM they could magically see everything.

I'm so baffled by this. Could it just be UDP traffic that's not working? On windows a netstat -an shows the udp traffic waiting for a connection from anywhere. I've never had this problem with windows server 2008/2012 before. The only consistent thing that's new to me is Proxmox so i'm somewhat certain i'm missing something.

Any ideas..?

 

[Richard]

# vmbr0: Bridging. Make sure to use only MAC adresses that were assigned to you.

This is an indication that the system runs on a server-hoster - does it?


If so be careful, there are sometimes special rules for using public IPs in the containers / VMs