Why is my PVE IP showing in firewall logs when I attempt to join from a public IP ?

K

Kamtoga

New Member
Aug 18, 2023
8
0
1
Hello,

I'm quite new to Proxmox and there is something I don't get.

I've just done some firewall rules (filtering public IPs who can access a specific VM on specifics ports). But when I attempt to test unauthorized IPs, I can access my resources (which isn't supposed to be normal).

When I see the logs, I see that the IP initiating the request is my PVE's IP. Am I missing something ? Does PVE translate requests ? Or is it something in my iptables ?

Here are my logs :
103 6 tap103i0-IN 18/Aug/2023:10:08:42 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5175 DF PROTO=TCP SPT=61858 DPT=8443 SEQ=2822076442 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:08:42 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5176 DF PROTO=TCP SPT=61859 DPT=8443 SEQ=869446092 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:08:42 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5177 DF PROTO=TCP SPT=61858 DPT=8443 SEQ=2822076442 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:08:44 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5178 DF PROTO=TCP SPT=61859 DPT=8443 SEQ=869446092 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:08:45 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5179 DF PROTO=TCP SPT=61858 DPT=8443 SEQ=2822076442 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:08:45 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5180 DF PROTO=TCP SPT=61859 DPT=8443 SEQ=869446092 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:08:49 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5181 DF PROTO=TCP SPT=61858 DPT=8443 SEQ=2822076442 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:08:49 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5182 DF PROTO=TCP SPT=61859 DPT=8443 SEQ=869446092 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:08:57 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5183 DF PROTO=TCP SPT=61858 DPT=8443 SEQ=2822076442 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:08:57 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:e8:39:35:a6:fd:ac:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5184 DF PROTO=TCP SPT=61859 DPT=8443 SEQ=869446092 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:31 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46753 DF PROTO=TCP SPT=62302 DPT=8443 SEQ=181136419 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:31 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46754 DF PROTO=TCP SPT=62303 DPT=8443 SEQ=433260555 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:31 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46755 DF PROTO=TCP SPT=62302 DPT=8443 SEQ=181136419 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:32 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46756 DF PROTO=TCP SPT=62303 DPT=8443 SEQ=433260555 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:34 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46757 DF PROTO=TCP SPT=62302 DPT=8443 SEQ=181136419 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:34 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46758 DF PROTO=TCP SPT=62303 DPT=8443 SEQ=433260555 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:38 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46759 DF PROTO=TCP SPT=62302 DPT=8443 SEQ=181136419 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:38 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46760 DF PROTO=TCP SPT=62303 DPT=8443 SEQ=433260555 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:46 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46761 DF PROTO=TCP SPT=62302 DPT=8443 SEQ=181136419 ACK=0 WINDOW=64860 SYN
103 6 tap103i0-IN 18/Aug/2023:10:20:46 +0200 policy DROP: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=b6:8d:06:62:46:41:00:90:7f:d9:28:dc:08:00 SRC=10.50.1.1 DST=10.50.1.5 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=46762 DF PROTO=TCP SPT=62303 DPT=8443 SEQ=433260555 ACK=0 WINDOW=64860 SYN
 
Some precisions, though :

  • My firewall group is set for my VM.
  • I am using Proxmox bridge.
  • 10.50.1.1 is my PVE IP.
 
Hi,
by default Proxmox VE does not translate IP addresses, it only forwards traffic if IPv4 forwarding is set. Did you maybe setup some sort of SNAT? Please share your current network configuration cat /etc/network/interfaces and iptables rules iptables-save. Also, please explain where your test traffic is coming from.
 
Hi,
My /etc/network/interfaces :

Bash: 
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto enp3s0f0
iface enp3s0f0 inet manual

auto enp3s0f1
iface enp3s0f1 inet manual

iface enp4s0f0 inet manual

iface enp4s0f1 inet manual

iface enp8s0f0 inet manual

iface enp8s0f1 inet manual

iface enp9s0f0 inet manual

iface enp9s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.50.1.1/24
        gateway 10.50.1.254
        bridge-ports enp3s0f0
        bridge-stp off
        bridge-fd 0

auto vmbr2
iface vmbr2 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#RESEAU SNTS

auto vmbr3
iface vmbr3 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
#RESEAU SVEIL


My iptables-save :

Code: 
# Generated by iptables-save v1.8.7 on Fri Aug 18 11:10:33 2023
*raw
:PREROUTING ACCEPT [21854365:16591412733]
:OUTPUT ACCEPT [7429391:10973967126]
COMMIT
# Completed on Fri Aug 18 11:10:33 2023
# Generated by iptables-save v1.8.7 on Fri Aug 18 11:10:33 2023
*nat
:PREROUTING ACCEPT [71435:9225581]
:INPUT ACCEPT [8930:734118]
:OUTPUT ACCEPT [24087:1728740]
:POSTROUTING ACCEPT [9775:705043]
-A POSTROUTING -o vmbr0 -j MASQUERADE
COMMIT
# Completed on Fri Aug 18 11:10:33 2023
# Generated by iptables-save v1.8.7 on Fri Aug 18 11:10:33 2023
*filter
:INPUT ACCEPT [967:64252]
:FORWARD ACCEPT [6673:479786]
:OUTPUT ACCEPT [21:1596]
:GROUP-mc-server-IN - [0:0]
:GROUP-mc-server-OUT - [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:tap103i0-IN - [0:0]
:tap103i0-OUT - [0:0]
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A INPUT -j PVEFW-INPUT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -i vmbr0 -o wg0 -j ACCEPT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A GROUP-mc-server-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-mc-server-IN -s x.x.x.x/32 -p tcp -m tcp --sport 9565 --dport 9565 -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:GROUP-mc-server-IN: "
-A GROUP-mc-server-IN -s x.x.x.x/32 -p tcp -m tcp --sport 9565 --dport 9565 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-mc-server-IN -s x.x.x.x/32 -p tcp -m tcp --sport 9565 --dport 9565 -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":0:6:GROUP-mc-server-IN: "
-A GROUP-mc-server-IN -s x.x.x.x/32 -p tcp -m tcp --sport 9565 --dport 9565 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-mc-server-IN -m comment --comment "PVESIG:/evtDQhav7ySZaEMQZd3XpHJI94"
-A GROUP-mc-server-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-mc-server-OUT -m comment --comment "PVESIG:rOeJGbDu3JaO+7wL2o8jnihqzQk"
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m physdev --physdev-out tap103i0 --physdev-is-bridged -j tap103i0-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Tn/qYSX2GbnAwjclGhTA9CWFjzE"
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap103i0 --physdev-is-bridged -j tap103i0-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:PRRr+h3cccuUxn7Bzq1LXqFjMOg"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:NknvsOiEa+jO7SaQ6Id0PaeSvgc"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d 127.0.0.0/8 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:slA9+eGCoAqR09eovbprlFksyFw"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A tap103i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap103i0-IN -j GROUP-mc-server-IN
-A tap103i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap103i0-IN -j PVEFW-Drop
-A tap103i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":103:6:tap103i0-IN: policy DROP: "
-A tap103i0-IN -j DROP
-A tap103i0-IN -m comment --comment "PVESIG:aZpfkltwFMJSidSw21WSnq2FDts"
-A tap103i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap103i0-OUT -m mac ! --mac-source b6:8d:06:62:46:41 -j DROP
-A tap103i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap103i0-OUT -j GROUP-mc-server-OUT
-A tap103i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap103i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap103i0-OUT -m comment --comment "PVESIG:QM7JvdenkZEroUfQKU0NUxoeh3s"
COMMIT
# Completed on Fri Aug 18 11:10:33 2023

I am testing with port checker and my computer (which is not on the same LAN as my VM).


And I just figured out when editing that I have some NAT rules (I don't know how because you're telling me that PVE doesn't translate by default). Should I try to remove those lines ?
 
Kamtoga said:
-A GROUP-mc-server-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-mc-server-IN -s x.x.x.x/32 -p tcp -m tcp --sport 9565 --dport 9565 -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:6:GROUP-mc-server-IN: "
-A GROUP-mc-server-IN -s x.x.x.x/32 -p tcp -m tcp --sport 9565 --dport 9565 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-mc-server-IN -s x.x.x.x/32 -p tcp -m tcp --sport 9565 --dport 9565 -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:6:GROUP-mc-server-IN: "
-A GROUP-mc-server-IN -s x.x.x.x/32 -p tcp -m tcp --sport 9565 --dport 9565 -g PVEFW-SET-ACCEPT-MARK
Click to expand...
That part is anonymized
 
Kamtoga said:
The case in the documentation looks different from what I have as a configuration (cf my network interfaces). What should I do ?
Click to expand...
Well this depends on what your goal is. Do you want the Proxmox VE host to perform NAT or is this covered by your router? In any case you probably want to remove the nat rule as is, as this translates all routed traffics source IP to the hosts IP.
 
Chris said:
Well this depends on what your goal is. Do you want the Proxmox VE host to perform NAT or is this covered by your router? In any case you probably want to remove the nat rule as is, as this translates all routed traffics source IP to the hosts IP.
Click to expand...
Yes, I'd like to delete that. I suppose my router does NAT. If not, I think I can manage to configure a different NAT rule on my PVE according to the tutorials I found on the web. How do I delete this rule ?
 
Kamtoga said:
Yes, I'd like to delete that. I suppose my router does NAT. If not, I think I can manage to configure a different NAT rule on my PVE according to the tutorials I found on the web. How do I delete this rule ?
Click to expand...
A simple iptables -t nat -D POSTROUTING -o vmbr0 -j MASQUERADE should do. Note however that this will not remove it from eventual cronjobs or systemd services which might set this. How did you set this, just via cli?
 
Chris said:
A simple iptables -t nat -D POSTROUTING -o vmbr0 -j MASQUERADE should do. Note however that this will not remove it from eventual cronjobs or systemd services which might set this. How did you set this, just via cli?
Click to expand...
I don't know, it's maybe related to my Wireguard configuration. However, my network is running as I want know, thank you for your help !
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back