[pve-devel] pvefw security group question
Alexandre DERUMIER
aderumier at odiso.com
Wed Feb 19 09:44:49 CET 2014
ok,I'll test last git, I think it should work.
(But finally, you create GROUP-IN and GROUP-OUT rules ? I thinked you wanted common group rules)
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mercredi 19 Février 2014 08:03:57
Objet: RE: [pve-devel] pvefw security group question
> Not sure, you do a goto PVE_SPECIAL_ACCEPT, so it's finished in
> PVE_SPECIAL_ACCEPT.
>
> But how do you go in the in vmbrX-IN, to check destination inbound rules ?
here is an example:
...
create PVEFW-SET-ACCEPT-MARK (uGWkX9NXBZni/I1q1QPuKX6AX5w)
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-mark 1
create GROUP-group1-IN (ero56fv6+VERm+VzEg8tBYCeC3Q)
-A GROUP-group1-IN -p tcp --dport 22 -j ACCEPT
create GROUP-group1-OUT (ftsSscJQ0Ev+Oi9l72TJRxz5UjE)
-A GROUP-group1-OUT -j MARK --set-mark 0
-A GROUP-group1-OUT -p tcp --dport 80 -g PVEFW-SET-ACCEPT-MARK
update tap100i0-OUT (iXbuWZcc7VZC6uexpZjL4Nwg5uY)
-A tap100i0-OUT -m state --state INVALID -j DROP
-A tap100i0-OUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP
-A tap100i0-OUT -j GROUP-group1-OUT
-A tap100i0-OUT -m mark --mark 1 -j vmbr0-IN
-A tap100i0-OUT -j LOG --log-prefix "tap100i0-OUT-dropped: " --log-level 4
-A tap100i0-OUT -j DROP
More information about the pve-devel
mailing list