4

This is my current scenario:

I have a proxmox server in the cloud. I installed 2 VMs, that have different IPs (not on the same subnet as the main proxmox server — see THIS to understand why).

On the proxmox machine itself, I have setup a list of iptables rules that work perfectly. 

# Allow localhostinterface
/sbin/iptables -A INPUT -i lo -j ACCEPT

#icmp
/sbin/iptables -A INPUT -p ICMP -j ACCEPT

#home network
/sbin/iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT

# Allow already established connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

#LOG IPTABLES
/sbin/iptables -N LOGGING
/sbin/iptables -A INPUT -j LOGGING
/sbin/iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
/sbin/iptables -A LOGGING -j DROP

However, for some reason, these rules do not apply to the virtual machines, which are out in the wild with no security at all. Is there a way to apply the same rules valid on the proxmox server to the vms?

myrdd
  • 117
  • 4
Aaron Ullal
  • 163
  • 1
  • 2
  • 10

2 Answers2

2

I had exactly the same problem this morning, then I also found your question.

According to this documentation, we can only set VM-wide rules using a PVE firewall, by creating a Security Group with global rules for all machines, then adding it to every VM on the node. This way, once the security group is modified, changes will affect all VMs that use it.

I find it a little bit inconvenient, because I think any rules defined in /etc/pve/nodes/<nodename>/host.fw should affect its VM's as well, since there is already an existing overlaying zone called 'Datacenter' (or 'cluster', since rules in /etc/pve/firewall/cluster.fw appear exactly in the GUI's Datacenter section) and I also suspect that it's an architectural issue, that will be fixed/changed in the near future.

Tim
  • 136
  • 2
0

The Firewall documentation says:

Enabling the Firewall for VMs and Containers

Each virtual network device has its own firewall enable flag. So you can selectively enable the firewall for each interface. This is required in addition to the general firewall enable option.

The firewall requires a special network device setup, so you need to restart the VM/container after enabling the firewall on a network interface.

So, assuming you have already done the following:

  1. you have enabled the firewall for the datacenter and the VM [or container] (enabling the firewall for the node is not necessary)

… you still need to perform these steps:

  1. enable the firewall for the VM's virtual network device: in the web interface, navigate to the VM's Network config, open the Edit popup for the device (e. g. net0) and enable the Firewall checkbox
  2. restart the VM

(Solution found here.)

Community
  • 1
myrdd
  • 117
  • 4